CVE-2024-52299
📋 TL;DR
CVE-2024-52299 is an authentication bypass vulnerability in the macro-pdfviewer component for XWiki that allows any user with view rights on XWiki.PDFViewerService to access any attachment stored in the wiki. The vulnerability occurs because the key used to prevent unauthorized access is computed incorrectly due to a digest stream issue. This affects XWiki instances using vulnerable versions of the macro-pdfviewer plugin.
💻 Affected Systems
- XWiki with macro-pdfviewer plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers with view rights could exfiltrate all attachments from the wiki, including sensitive documents, credentials, or proprietary information stored as attachments.
Likely Case
Unauthorized users accessing attachments they shouldn't have permission to view, potentially exposing confidential business documents or user-uploaded files.
If Mitigated
Limited exposure if strict access controls are already in place and sensitive attachments are stored outside the wiki or encrypted.
🎯 Exploit Status
Exploitation requires view rights on XWiki.PDFViewerService, which may be granted by default in some configurations. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.6
Vendor Advisory: https://github.com/xwikisas/macro-pdfviewer/security/advisories/GHSA-522m-m242-jr9p
Restart Required: Yes
Instructions:
1. Update macro-pdfviewer to version 2.5.6 or later via XWiki Extension Manager. 2. Restart XWiki application server. 3. Verify the update by checking the macro-pdfviewer version in XWiki administration.
🔧 Temporary Workarounds
Restrict view rights on PDFViewerService
allRemove view rights from XWiki.PDFViewerService for all users except administrators to prevent exploitation.
Navigate to XWiki.PDFViewerService page > Rights > Remove view rights for groups/users
Disable macro-pdfviewer
allTemporarily disable the vulnerable macro until patching is possible.
Navigate to XWiki Administration > Content > Macros > Disable macro-pdfviewer
🧯 If You Can't Patch
- Implement strict access controls on XWiki.PDFViewerService to limit view rights to essential users only.
- Monitor access logs for unusual attachment access patterns and implement network segmentation to limit exposure.
🔍 How to Verify
Check if Vulnerable:
Check macro-pdfviewer version in XWiki Administration > Extensions. If version is below 2.5.6, the system is vulnerable.Check Version:
In XWiki, navigate to Administration > Extensions and search for 'macro-pdfviewer' to see installed version.Verify Fix Applied:
Verify macro-pdfviewer version is 2.5.6 or higher in XWiki Administration > Extensions and test PDF viewer functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to XWiki.PDFViewerService
- Multiple attachment download requests from single users in short timeframes
Network Indicators:
- Increased outbound traffic from XWiki server indicating potential data exfiltration
SIEM Query:
source="xwiki.log" AND ("PDFViewerService" OR "attachment download") AND user!="admin" | stats count by user, src_ip