CVE-2022-29253

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workaround for this issue.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.7 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
2.7 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
VendorProductVersion
xwikixwiki
8.4 ≤
𝑥
< 13.10.3
xwikixwiki
8.3:rc1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9qrp-h7fw-42hg
https://jira.xwiki.org/browse/XWIKI-19349
https://github.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9qrp-h7fw-42hg
https://jira.xwiki.org/browse/XWIKI-19349