CVE-2024-31986
📋 TL;DR
This vulnerability allows remote code execution on XWiki servers through crafted document references. Attackers can execute arbitrary code when an administrator visits the scheduler page or when that page is referenced elsewhere in the wiki. All XWiki installations between versions 3.1 and 14.10.18, 15.5.3, and 15.9 are affected.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attacker to execute arbitrary code, access sensitive data, modify content, and potentially pivot to other systems.
Likely Case
Server compromise leading to data theft, content manipulation, and installation of backdoors or malware.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place to detect exploitation attempts.
🎯 Exploit Status
Exploitation requires creating a document with specific crafted references, which can be done by any user with edit permissions. Trigger requires admin visit to scheduler page or page reference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.19, 15.5.5, and 15.10-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-37m4-hqxv-w26g
Restart Required: Yes
Instructions:
1. Upgrade to XWiki 14.10.19, 15.5.5, or 15.10-rc-1. 2. Restart the XWiki application server. 3. Verify the patch is applied by checking version.
🔧 Temporary Workarounds
Manual patch application
allModify the Scheduler.WebHome page to remove the vulnerability as described in the advisory
Edit Scheduler.WebHome page content as per commit 8a92cb4bef7e5f244ae81eed3e64fe9be95827cf
🧯 If You Can't Patch
- Restrict access to scheduler page using web application firewall rules or access controls
- Disable document editing for non-administrative users and monitor for suspicious document creation
🔍 How to Verify
Check if Vulnerable:
Check XWiki version against affected ranges: 3.1-14.10.18, 15.5.3, or 15.9Check Version:
Check XWiki administration panel or view /xwiki/bin/view/Main/AboutVerify Fix Applied:
Verify version is 14.10.19, 15.5.5, or 15.10-rc-1 or later📡 Detection & Monitoring
Log Indicators:
- Unusual document creation with XWiki.SchedulerJobClass objects
- Multiple failed access attempts to scheduler page
- Unexpected process execution from XWiki context
Network Indicators:
- Unusual outbound connections from XWiki server
- Traffic patterns indicating command and control
SIEM Query:
source="xwiki" AND (event="document_creation" AND object_type="XWiki.SchedulerJobClass") OR (url_path="/xwiki/bin/view/Scheduler/" AND status="200")🔗 References
- https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf
- https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87
- https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-37m4-hqxv-w26g
- https://jira.xwiki.org/browse/XWIKI-21416
- https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf
- https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87
- https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-37m4-hqxv-w26g
- https://jira.xwiki.org/browse/XWIKI-21416
