CVE-2024-37899
📋 TL;DR
This vulnerability in XWiki Platform allows privilege escalation through improper access control. When an administrator disables a user account, the user's profile content executes with administrator privileges, enabling attackers to run arbitrary code. All XWiki instances running vulnerable versions are affected.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through remote code execution with administrative privileges, allowing data theft, system modification, or lateral movement.
Likely Case
Attackers with user accounts can execute arbitrary code with admin rights to steal sensitive data, modify configurations, or create backdoors.
If Mitigated
With proper network segmentation and least privilege, impact could be limited to the XWiki application layer only.
🎯 Exploit Status
Exploitation requires a user account and social engineering to get an admin to disable the account. The proof-of-concept is publicly available in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.21, 15.5.5, 15.10.6, or 16.0.0
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Download the patched version from xwiki.org. 3. Follow XWiki upgrade documentation for your version. 4. Restart the application server.
🔧 Temporary Workarounds
No workaround available
allThe vendor states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Disable user registration and new account creation
- Implement strict monitoring of admin actions and user profile modifications
🔍 How to Verify
Check if Vulnerable:
As a regular user, edit your profile's about section with {{groovy}}services.logging.getLogger('test').error('test'){{/groovy}}. Have an admin disable your account and check logs for the test message.Check Version:
Check XWiki version in Administration → About or via xwiki.cfg fileVerify Fix Applied:
After upgrading, repeat the test above. The Groovy code should not execute when the account is disabled.📡 Detection & Monitoring
Log Indicators:
- Unexpected Groovy script execution in logs
- Admin actions to disable accounts followed by unusual log entries
- Error logs containing user-provided script output
Network Indicators:
- Unusual outbound connections from XWiki server following admin actions
SIEM Query:
source="xwiki.log" AND ("groovy" OR "script" OR "{{/groovy}}") AND event_type="ERROR"🔗 References
- https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
- https://jira.xwiki.org/browse/XWIKI-21611
- https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
- https://jira.xwiki.org/browse/XWIKI-21611
