CVE-2023-37913 : Security Advisory and Response
Learn about CVE-2023-37913, a critical security flaw in XWiki Platform allowing arbitrary server-side file writing. Understand the impact, technical details, and mitigation steps.
A critical security vulnerability has been identified in XWiki Platform that could allow attackers to perform arbitrary server-side file writing through the office converter. Here's what you need to know about CVE-2023-37913.
Understanding CVE-2023-37913
XWiki Platform is susceptible to a severe vulnerability that enables attackers to write files to a server from an account by exploiting the office converter.
What is CVE-2023-37913?
The vulnerability, tracked as CVE-2023-37913, is categorized under CWE-23 (Relative Path Traversal) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). It has a CVSS base score of 10, indicating a critical severity level.
The Impact of CVE-2023-37913
Exploiting this vulnerability can result in a high impact on confidentiality, integrity, and availability within affected XWiki Platform versions. Attackers can execute arbitrary Java code, potentially compromising the entire XWiki installation.
Technical Details of CVE-2023-37913
This section provides a deeper insight into the vulnerability, affected systems, and exploitation mechanism.
Vulnerability Description
The flaw allows malicious actors to write attachment content to a location controlled by the attacker if the Java process has write access. This can be triggered by manipulating file names when using the office converter, affecting versions from 3.5-milestone-1 to 14.10.8 and 15.0-rc-1 to 15.3-rc-1.
Affected Systems and Versions
XWiki Platform versions ranging from 3.5-milestone-1 to 14.10.8 and 15.0-rc-1 to 15.3-rc-1 are impacted by this vulnerability. Users of these versions are advised to take immediate action.
Exploitation Mechanism
By uploading specially crafted filenames through the REST API and leveraging the attachment moving feature introduced in XWiki 14.0, attackers can write files to controlled locations on the server without constraints based on the file's MIME type.
Mitigation and Prevention
Protecting systems from CVE-2023-37913 requires immediate steps to mitigate risks and ensure long-term security.
Immediate Steps to Take
Users are strongly advised to update their XWiki Platform to the patched versions, 14.10.8 and 15.3RC1, as there are no known workarounds apart from disabling the office converter.
Long-Term Security Practices
Practicing good security hygiene, such as regular software updates, monitoring file uploads, and restricting server write permissions, is essential to prevent such vulnerabilities.
Patching and Updates
XWiki Platform users must promptly apply patches released by the vendor to secure their systems against potential exploitation.