Description
XWiki Platform is a generic wiki platform. The rendered diff in XWiki embeds images to be able to compare the contents and not display a difference for an actually unchanged image. For this, XWiki requests all embedded images on the server side. These requests are also sent for images from other domains and include all cookies that were sent in the original request to ensure that images with restricted view right can be compared. Starting in version 11.10.1 and prior to versions 14.10.15, 15.5.1, and 15.6, this allows an attacker to steal login and session cookies that allow impersonating the current user who views the diff. The attack can be triggered with an image that references the rendered diff, thus making it easy to trigger. Apart from stealing login cookies, this also allows server-side request forgery (the result of any successful request is returned in the image's source) and viewing protected content as once a resource is cached, it is returned for all users. As only successful requests are cached, the cache will be filled by the first user who is allowed to access the resource. This has been patched in XWiki 14.10.15, 15.5.1 and 15.6. The rendered diff now only downloads images from trusted domains. Further, cookies are only sent when the image's domain is the same the requested domain. The cache has been changed to be specific for each user. As a workaround, the image embedding feature can be disabled by deleting `xwiki-platform-diff-xml-<version>.jar` in `WEB-INF/lib/`.
EPSS Score:
7%
Comprehensive Technical Analysis of EUVD-2023-2911
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Description: The vulnerability in XWiki Platform affects versions 11.10.1 through 14.10.15, 15.0-rc-1 through 15.5.1, and 15.6-rc-1 through 15.6. It allows an attacker to steal login and session cookies, perform server-side request forgery (SSRF), and view protected content. The issue arises from the way XWiki handles image requests during the rendering of diffs, which includes cookies from the original request, potentially exposing them to malicious actors.
Severity Evaluation:
The CVSS (Common Vulnerability Scoring System) base score is 9.1, indicating a critical vulnerability. The vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H breaks down as follows:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
This high score reflects the significant impact on confidentiality, integrity, and availability, making it a critical issue for organizations using XWiki Platform.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Cookie Theft: An attacker can exploit the vulnerability by embedding an image that references the rendered diff, causing the server to send cookies from the original request. This allows the attacker to steal login and session cookies, enabling impersonation of the user.
- Server-Side Request Forgery (SSRF): The attacker can manipulate the image requests to perform SSRF attacks, potentially accessing internal resources or services that are not directly exposed to the internet.
- Viewing Protected Content: Once a resource is cached, it is returned for all users, allowing unauthorized access to protected content.
Exploitation Methods:
- Embedding a malicious image in a diff that references an external domain.
- Crafting HTTP requests to exploit the SSRF vulnerability.
- Leveraging cached resources to access protected content.
3. Affected Systems and Software Versions
Affected Versions:
- XWiki Platform 11.10.1 through 14.10.15
- XWiki Platform 15.0-rc-1 through 15.5.1
- XWiki Platform 15.6-rc-1 through 15.6
Patched Versions:
- XWiki Platform 14.10.15
- XWiki Platform 15.5.1
- XWiki Platform 15.6
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Disable Image Embedding: Delete
xwiki-platform-diff-xml-<version>.jarinWEB-INF/lib/to disable the image embedding feature. - Update Software: Upgrade to the patched versions (14.10.15, 15.5.1, or 15.6) as soon as possible.
Long-Term Mitigation:
- Regular Patching: Implement a regular patching and update schedule for all software.
- Network Segmentation: Use network segmentation to limit the impact of SSRF attacks.
- Monitoring and Logging: Enhance monitoring and logging to detect and respond to suspicious activities.
5. Impact on European Cybersecurity Landscape
The vulnerability poses a significant risk to organizations using XWiki Platform, particularly those in sectors handling sensitive information such as healthcare, finance, and government. The potential for unauthorized access to protected content and impersonation of users can lead to data breaches, financial loss, and reputational damage. The European cybersecurity landscape must prioritize timely patching and robust security measures to mitigate such risks.
6. Technical Details for Security Professionals
Technical Overview:
- Vulnerability Type: SSRF, Cookie Theft, Unauthorized Access
- Affected Component: Image embedding in rendered diffs
- Exploitation Conditions: Requires user interaction to view the diff
- Patch Details: The patch ensures that images are only downloaded from trusted domains and cookies are only sent when the image's domain matches the requested domain. The cache has been modified to be user-specific.
References:
Conclusion: This vulnerability underscores the importance of timely patching and robust security practices. Organizations should prioritize updating to the patched versions and implementing additional security measures to protect against similar threats in the future.