CVE-2023-36468
📋 TL;DR
XWiki Platform retains vulnerable old document revisions after upgrades, allowing attackers to exploit previously fixed vulnerabilities by accessing specific historical versions. This affects all XWiki installations that were upgraded from vulnerable versions, potentially leading to remote code execution even after patches are applied. Only fresh installations are unaffected.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and service disruption via CVE-2022-36100 exploitation.
Likely Case
Attackers with view rights exploit old vulnerable revisions to execute arbitrary code, compromising the XWiki instance.
If Mitigated
Limited impact if old revisions are deleted or restricted execution is enforced.
🎯 Exploit Status
Exploitation requires adding 'rev=1.1' parameter to URLs. CVE-2022-36100 provides ready exploit path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.7 or 15.2RC1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8q9q-r9v2-644m
Restart Required: Yes
Instructions:
1. Upgrade to XWiki 14.10.7 or 15.2RC1. 2. Restart XWiki service. 3. Verify old revisions execute in restricted mode.
🔧 Temporary Workarounds
Delete old document revisions
allManually delete historical versions of all documents to remove vulnerable revisions
Use XWiki administration tools or database queries to delete document history
🧯 If You Can't Patch
- Implement strict network access controls to limit XWiki exposure
- Monitor for exploitation attempts using 'rev=' parameter in URLs
🔍 How to Verify
Check if Vulnerable:
Check if XWiki version is below 14.10.7/15.2RC1 and was upgraded from vulnerable version. Test by accessing documents with 'rev=1.1' parameter.Check Version:
Check XWiki administration dashboard or xwiki.properties file for versionVerify Fix Applied:
After upgrade, verify that accessing documents with 'rev=' parameter shows restricted execution or error.📡 Detection & Monitoring
Log Indicators:
- URL requests containing 'rev=' parameter
- Unusual script execution patterns
- Access to historical document versions
Network Indicators:
- HTTP requests with rev parameter to XWiki endpoints
- Unusual outbound connections from XWiki server
SIEM Query:
web.url:*rev=* AND destination.port:8080 AND process.name:java🔗 References
- https://github.com/xwiki/xwiki-platform/commit/15a6f845d8206b0ae97f37aa092ca43d4f9d6e59
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2g5c-228j-p52x
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8q9q-r9v2-644m
- https://jira.xwiki.org/browse/XWIKI-20594
- https://github.com/xwiki/xwiki-platform/commit/15a6f845d8206b0ae97f37aa092ca43d4f9d6e59
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2g5c-228j-p52x
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8q9q-r9v2-644m
- https://jira.xwiki.org/browse/XWIKI-20594
