VDB
KO
CRITICAL

GHSA-xq3r-2qv5-vqqm

XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash

Details

### Impact

It's possible to get access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false`.

This can apparently be reproduced on Tomcat instances.

### Patches

This has been patched in 18.0.0-rc-1, 17.10.3, 17.4.9, 16.10.17.

### Workarounds

There is no known workaround, other than upgrading XWiki.

### References

* https://jira.xwiki.org/browse/XCOMMONS-3547 * https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf

### For more information

If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

### Attribution

The vulnerability was reported by Michał Kołek.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.xwiki.commons:xwiki-commons-classloader-api
Introduced in: 4.2-milestone-2 Fixed in: 16.10.17
Fix # pom.xml: bump <version>16.10.17</version> for org.xwiki.commons:xwiki-commons-classloader-api
Maven / org.xwiki.commons:xwiki-commons-classloader-api
Introduced in: 17.0.0-rc-1 Fixed in: 17.4.9
Fix # pom.xml: bump <version>17.4.9</version> for org.xwiki.commons:xwiki-commons-classloader-api
Maven / org.xwiki.commons:xwiki-commons-classloader-api
Introduced in: 17.5.0 Fixed in: 17.10.3
Fix # pom.xml: bump <version>17.10.3</version> for org.xwiki.commons:xwiki-commons-classloader-api
Maven / org.xwiki.commons:xwiki-commons-classloader-api
Introduced in: 18.0.0-rc-1 Fixed in: 18.1.0-rc-1
Fix # pom.xml: bump <version>18.1.0-rc-1</version> for org.xwiki.commons:xwiki-commons-classloader-api

References