CVE-2024-21651

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-21651
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4 Issue Tracking Vendor Advisory
https://jira.xwiki.org/browse/XCOMMONS-2796 Issue Tracking Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
History

12 Jan 2024, 17:15

Type Values Removed Values Added
References () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4 - () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4 - Issue Tracking, Vendor Advisory
References () https://jira.xwiki.org/browse/XCOMMONS-2796 - () https://jira.xwiki.org/browse/XCOMMONS-2796 - Issue Tracking, Vendor Advisory
CPE cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 7.5 		v2 : unknown
v3 : 6.5
First Time Xwiki
Xwiki xwiki

09 Jan 2024, 14:01

Type Values Removed Values Added
Summary
  • (es) XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. Un usuario capaz de adjuntar un archivo a una página puede publicar un archivo TAR con formato incorrecto manipulando los encabezados de los tiempos de modificación del archivo, que cuando Tika los analiza, podría causar un problema de denegación de servicio debido al consumo de CPU. Esta vulnerabilidad ha sido parcheada en XWiki 14.10.18, 15.5.3 y 15.8 RC1.

09 Jan 2024, 00:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-01-09 00:15

Updated : 2024-01-12 17:15

NVD link : CVE-2024-21651

Mitre link : CVE-2024-21651

CVE.ORG link : CVE-2024-21651

JSON object : View

Products Affected

xwiki

  • xwiki
CWE
CWE-400

Uncontrolled Resource Consumption