CVE-2022-24897 : APIs to evaluate content with Velocity is a package for APIs to evaluate content

APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.

Published 2022-05-02 22:15:10

Updated 2023-07-06 13:35:11

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2022-24897

Xwiki » Xwiki
Versions from including (>=) 12.7 and before (<) 12.10.3
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Matching versions
Xwiki » Xwiki
Versions from including (>=) 2.3 and before (<) 12.6.7
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-24897

EPSS FAQ

0.41%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 60 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-24897

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.0	MEDIUM	AV:N/AC:M/Au:S/C:P/I:P/A:P	6.8	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.6	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.6	5.9	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-24897

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-24897

https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8

XWIKI-5168: Don't allow some methods in velocity introspector (#127) · xwiki/xwiki-commons@215951c · GitHub
Patch;Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-5168

[XWIKI-5168] Arbitrary filesystem write access from velocity. - XWiki.org JIRA
Exploit;Vendor Advisory
https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc

Arbitrary filesystem write access from velocity. · Advisory · xwiki/xwiki-commons · GitHub
Third Party Advisory
https://github.com/xwiki/xwiki-commons/pull/127

XWIKI-5168: Don't allow some methods in velocity introspector by surli · Pull Request #127 · xwiki/xwiki-commons · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-24897

Products affected by CVE-2022-24897

Exploit prediction scoring system (EPSS) score for CVE-2022-24897

CVSS scores for CVE-2022-24897

CWE ids for CVE-2022-24897

References for CVE-2022-24897