CVE-2024-21648
📋 TL;DR
CVE-2024-21648 is an authorization bypass vulnerability in XWiki Platform where the rollback action lacks proper permission checks. This allows authenticated users to rollback pages to previous versions and regain access rights they no longer possess. All XWiki instances running vulnerable versions are affected.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Privileged users who have had their rights revoked could regain administrative access, potentially leading to complete system compromise, data manipulation, or privilege escalation attacks.
Likely Case
Users who have had permissions reduced could regain their previous access levels, allowing unauthorized modifications to wiki content and potential data integrity issues.
If Mitigated
With proper access controls and monitoring, impact would be limited to unauthorized content modifications that could be detected and rolled back.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.17, 15.5.3, or 15.8-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xh35-w7wg-95v3
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Upgrade to XWiki 14.10.17, 15.5.3, or 15.8-rc-1. 3. Restart the XWiki service. 4. Verify the fix by testing rollback functionality with reduced-privilege users.
🔧 Temporary Workarounds
Disable rollback functionality
allTemporarily disable the rollback feature for all users until patching can be completed
Modify XWiki configuration to remove rollback permissions from all user groups
Restrict rollback permissions
allLimit rollback permissions to administrators only
Edit rights settings to grant rollback permission only to admin group
🧯 If You Can't Patch
- Implement strict access controls and regularly audit user permissions
- Enable detailed logging of all rollback actions and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check XWiki version against vulnerable versions. Test with a user who has had rights reduced attempting to rollback a page they can no longer edit.Check Version:
Check XWiki version in administration panel or via xwiki.cfg configuration fileVerify Fix Applied:
After patching, test rollback functionality with users who have reduced permissions to confirm they cannot regain previous rights.📡 Detection & Monitoring
Log Indicators:
- Unauthorized rollback attempts
- Users performing rollbacks on pages they shouldn't have access to
- Multiple rollback actions from the same user in short time
Network Indicators:
- POST requests to rollback endpoints from non-admin users
SIEM Query:
source="xwiki.log" AND ("rollback" OR "action=rollback") AND NOT user="admin"🔗 References
- https://github.com/xwiki/xwiki-platform/commit/4de72875ca49602796165412741033bfdbf1e680
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xh35-w7wg-95v3
- https://jira.xwiki.org/browse/XWIKI-21257
- https://github.com/xwiki/xwiki-platform/commit/4de72875ca49602796165412741033bfdbf1e680
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xh35-w7wg-95v3
- https://jira.xwiki.org/browse/XWIKI-21257
