CVE-2023-30537
📋 TL;DR
CVE-2023-30537 is a critical remote code execution vulnerability in XWiki Platform that allows authenticated users with object creation rights to execute arbitrary Groovy, Python, or Velocity code. This leads to complete compromise of the XWiki installation. All XWiki instances with default configurations running vulnerable versions are affected.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, access sensitive data, modify content, and potentially pivot to other systems in the network.
Likely Case
Authenticated attackers gaining administrative privileges, stealing sensitive data, and maintaining persistent access to the XWiki instance.
If Mitigated
Limited impact if proper access controls restrict object creation rights to trusted users only, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires authenticated access with object creation rights. The vulnerability is in a default component making exploitation straightforward for attackers with valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.10.11, 14.4.7, or 14.10
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vrr8-fp7c-7qgp
Restart Required: Yes
Instructions:
1. Identify your XWiki version. 2. Upgrade to 13.10.11, 14.4.7, or 14.10 depending on your current version track. 3. Restart the XWiki application server. 4. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Restrict Object Creation Permissions
allTemporarily limit 'Add Object' permissions to only essential administrators until patching can be completed.
Navigate to XWiki Administration > Rights > Page Rights and restrict 'Add Object' permission globally and on specific spaces
Remove FlamingoThemesCode.WebHome Page
allDelete or restrict access to the vulnerable page if not needed for functionality.
Access XWiki and delete page 'FlamingoThemesCode.WebHome' or modify its permissions to prevent access
🧯 If You Can't Patch
- Immediately restrict 'Add Object' permissions to only absolutely necessary trusted administrators
- Implement network segmentation to isolate XWiki instances from critical systems and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check XWiki version via Administration > About or by examining the XWiki WAR file. Versions before 13.10.11, 14.4.7, and 14.10 are vulnerable.Check Version:
Check XWiki web interface at /xwiki/bin/view/Admin/About or examine xwiki-platform-core version in META-INF/MANIFEST.MFVerify Fix Applied:
After upgrade, verify version shows 13.10.11, 14.4.7, or 14.10 in Administration > About. Test that object creation still works but code execution is prevented.📡 Detection & Monitoring
Log Indicators:
- Unusual Groovy/Python/Velocity code execution in logs
- Multiple object creation attempts by single users
- Access to FlamingoThemesCode.WebHome with POST requests
Network Indicators:
- POST requests to pages with object creation containing script code
- Unusual outbound connections from XWiki server
SIEM Query:
source="xwiki.log" AND ("Groovy" OR "Python" OR "Velocity") AND "execution" AND NOT "expected_script"🔗 References
- https://github.com/xwiki/xwiki-platform/commit/df596f15368342236f8899ca122af8f3df0fe2e8
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vrr8-fp7c-7qgp
- https://jira.xwiki.org/browse/XWIKI-20280
- https://github.com/xwiki/xwiki-platform/commit/df596f15368342236f8899ca122af8f3df0fe2e8
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vrr8-fp7c-7qgp
- https://jira.xwiki.org/browse/XWIKI-20280
