CVE-2021-21380 – This vulnerability allows SQL injection in XWik... (How to Fix)

Q: What is the severity of CVE-2021-21380?

CVE-2021-21380 has a CVSS score of 7.7 (HIGH). This vulnerability allows SQL injection in XWiki Platform's Ratings API for users with Script rights. Attackers can execute arbitrary SQL queries, potentially accessing, modifying, or deleting database content. Only affects XWiki installations with the Ratings API installed.

📋 TL;DR

This vulnerability allows SQL injection in XWiki Platform's Ratings API for users with Script rights. Attackers can execute arbitrary SQL queries, potentially accessing, modifying, or deleting database content. Only affects XWiki installations with the Ratings API installed.

💻 Affected Systems

Products:

XWiki Platform

Versions: All versions before XWiki 12.9RC1

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if Ratings API extension is installed. Requires user to have Script rights.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, deletion, or potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, privilege escalation, or data manipulation by users with Script rights.

🟢

If Mitigated

Limited impact if proper access controls restrict Script rights and database permissions are minimized.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires Script rights. SQL injection is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: XWiki 12.9RC1 and later

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5

Restart Required: Yes

Instructions:

1. Upgrade XWiki Platform to version 12.9RC1 or later. 2. Restart the XWiki service. 3. Verify the Ratings API is properly updated.

🔧 Temporary Workarounds

Uninstall Ratings API

all

Remove the vulnerable Ratings API extension from XWiki

Navigate to XWiki Extension Manager and uninstall Ratings API

🧯 If You Can't Patch

Restrict Script rights to only essential, trusted users
Implement network segmentation and firewall rules to limit access to XWiki instances

🔍 How to Verify

Check if Vulnerable:

Check if Ratings API is installed and XWiki version is below 12.9RC1

Check Version:

Check XWiki administration panel or xwiki.cfg file for version information

Verify Fix Applied:

Verify XWiki version is 12.9RC1 or later and check that SQL injection attempts are properly escaped

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by script execution

Network Indicators:

Unusual database connection patterns from XWiki server

SIEM Query:

source="xwiki.log" AND ("SQL" OR "database" OR "query") AND ("error" OR "exception" OR "injection")

📊 Metadata

CVE ID: CVE-2021-21380

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE: CWE-89

Published: March 23, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5 Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-17662 Issue Tracking,Vendor Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5 Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-17662 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21380, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Xwiki by Xwiki

Xwiki by Xwiki

Xwiki by Xwiki

Xwiki by Xwiki

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Uninstall Ratings API

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities