CVE-2023-29521
📋 TL;DR
CVE-2023-29521 is a critical remote code execution vulnerability in XWiki Platform where any user with view rights can execute arbitrary Groovy, Python, or Velocity code due to improper escaping in the Macro.VFSTreeMacro. This allows attackers to gain full administrative access to the XWiki installation. The vulnerable page is not installed by default, but any XWiki instance with the affected macro is at risk.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the XWiki instance, allowing attackers to execute arbitrary code, access/modify all data, install backdoors, and potentially pivot to other systems.
Likely Case
Unauthorized users with view rights gain administrative privileges, leading to data theft, content manipulation, and further system exploitation.
If Mitigated
If proper network segmentation and least privilege access controls are implemented, impact may be limited to the XWiki instance itself.
🎯 Exploit Status
Exploitation requires view rights (not admin), making it accessible to many users. The vulnerability is in macro parsing, which is a common attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.0-rc-1, 14.10.2, 14.4.8, or 13.10.11
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p67q-h88v-5jgr
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Download the patched version from xwiki.org. 3. Follow XWiki's upgrade documentation for your version. 4. Restart the application server. 5. Verify the fix by checking the version.
🧯 If You Can't Patch
- Remove or disable the Macro.VFSTreeMacro page if installed
- Restrict view rights to trusted users only and implement strict access controls
🔍 How to Verify
Check if Vulnerable:
Check if the Macro.VFSTreeMacro page exists in your XWiki installation and verify your XWiki version against affected versions.Check Version:
Check XWiki administration panel or view the page source for version information.Verify Fix Applied:
Verify XWiki version is 15.0-rc-1, 14.10.2, 14.4.8, 13.10.11 or later, and test that macro execution no longer allows arbitrary code execution.📡 Detection & Monitoring
Log Indicators:
- Unusual macro execution patterns
- Unexpected Groovy/Python/Velocity code execution in logs
- Administrative actions from non-admin users
Network Indicators:
- Unusual outbound connections from XWiki server
- Payloads containing macro syntax in HTTP requests
SIEM Query:
source="xwiki" AND ("Macro.VFSTreeMacro" OR "groovy" OR "python" OR "velocity") AND status="200"🔗 References
- https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p67q-h88v-5jgr
- https://jira.xwiki.org/browse/XWIKI-20260
- https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p67q-h88v-5jgr
- https://jira.xwiki.org/browse/XWIKI-20260
