XWiki Denial of Service attack through attachments
CVE-2024-21651

7.5HIGH

Key Information:

Vendor: xwiki
Status: xwiki-platform
Vendor: CVE Published:; 9 January 2024

Summary

The XWiki Platform is a versatile wiki application that provides runtime services for various built applications. A vulnerability exists within the platform due to improper handling of file attachments. Specifically, a user with the ability to attach files can exploit this weakness by submitting a specially crafted TAR file that manipulates file modification times headers. When this malformed file is parsed by the Tika library, it can lead to excessive CPU consumption, resulting in denial of service for users. This issue has been addressed in recent updates, including XWiki versions 14.10.18, 15.5.3, and 15.8 RC1, making it essential for users to upgrade to these patched versions to ensure system integrity.

Affected Version(s)

xwiki-platform >= 14.10, < 14.10.18 < 14.10, 14.10.18

xwiki-platform >= 15.0-rc-1, < 15.5.3 < 15.0-rc-1, 15.5.3

xwiki-platform >= 15.6-rc-1, < 15.8-rc-1 < 15.6-rc-1, 15.8-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://jira.xwiki.org/browse/XCOMMONS-2796

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2024
Vulnerability Reserved
Dec 29, 2023