CVE-2023-29516 – CVE-2023-29516 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2023-29516?

CVE-2023-29516 has a CVSS score of 9.9 (CRITICAL). CVE-2023-29516 is a critical remote code execution vulnerability in XWiki Platform where any user with view rights on the XWiki.AttachmentSelector page can execute arbitrary Groovy, Python, or Velocity code. This leads to full compromise of the XWiki installation. The vulnerability affects all XWiki installations with the default configuration.

📋 TL;DR

CVE-2023-29516 is a critical remote code execution vulnerability in XWiki Platform where any user with view rights on the XWiki.AttachmentSelector page can execute arbitrary Groovy, Python, or Velocity code. This leads to full compromise of the XWiki installation. The vulnerability affects all XWiki installations with the default configuration.

💻 Affected Systems

Products:

XWiki Platform

Versions: All versions before 13.10.11, 14.4.8, 14.10.1, and 15.0-rc-1

Operating Systems: All operating systems running XWiki

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable XWiki.AttachmentSelector page is installed by default. Any user with view rights can exploit this vulnerability.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code, access sensitive data, modify content, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized users gaining administrative privileges, data exfiltration, and complete control over the XWiki instance.

🟢

If Mitigated

If proper network segmentation and access controls exist, impact may be limited to the XWiki application and its data.

🌐 Internet-Facing: HIGH - Any internet-facing XWiki instance is immediately vulnerable to remote exploitation.

🏢 Internal Only: HIGH - Internal users with view access can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires view rights on the vulnerable page, which is typically granted to authenticated users. The vulnerability is in improper escaping in the 'Cancel and return to page' button.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.10.11, 14.4.8, 14.10.1, or 15.0-rc-1

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3989-4c6x-725f

Restart Required: Yes

Instructions:

1. Identify your XWiki version. 2. Upgrade to a patched version: 13.10.11, 14.4.8, 14.10.1, or 15.0-rc-1. 3. Restart the XWiki service. 4. Verify the fix by checking the version and testing the vulnerable functionality.

🔧 Temporary Workarounds

No official workarounds

all

The vendor states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Immediately restrict access to XWiki.AttachmentSelector page to only absolutely necessary administrative users
Implement network-level controls to limit access to XWiki instances and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check your XWiki version. If it's older than 13.10.11, 14.4.8, 14.10.1, or 15.0-rc-1, you are vulnerable.

Check Version:

Check XWiki administration panel or view the XWiki version in the web interface footer.

Verify Fix Applied:

After patching, verify the version is 13.10.11, 14.4.8, 14.10.1, or 15.0-rc-1 or newer. Test the XWiki.AttachmentSelector functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual Groovy/Python/Velocity code execution patterns
Unauthorized access attempts to XWiki.AttachmentSelector
Suspicious administrative actions from non-admin users

Network Indicators:

Unusual outbound connections from XWiki server
Traffic patterns indicating data exfiltration

SIEM Query:

Search for: 'XWiki.AttachmentSelector' access logs, unusual script execution events, or privilege escalation patterns in XWiki audit logs

📊 Metadata

CVE ID: CVE-2023-29516

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CWE: CWE-74

Published: April 19, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/xwiki/xwiki-platform/commit/aca1d677c58563bbe6e35c9e1c29fd8b12ebb996 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3989-4c6x-725f Exploit,Patch,Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20275 Exploit,Issue Tracking,Patch,Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/aca1d677c58563bbe6e35c9e1c29fd8b12ebb996 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3989-4c6x-725f Exploit,Patch,Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20275 Exploit,Issue Tracking,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29516, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Xwiki by Xwiki

Xwiki by Xwiki

Xwiki by Xwiki

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

No official workarounds

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities