CVE-2024-55663
📋 TL;DR
This CVE describes an SQL injection vulnerability in XWiki Platform's getdocument.vm template where unsanitized request parameters allow HQL injection. Any user can exploit this to potentially access sensitive database information like password hashes or execute arbitrary database queries. All XWiki instances running affected versions are vulnerable.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise allowing attackers to read all data (including password hashes), modify/delete data, and potentially execute arbitrary code depending on database backend configuration.
Likely Case
Unauthorized access to sensitive wiki content, user information, and potential privilege escalation through password hash extraction.
If Mitigated
Limited impact if database user has minimal permissions, but still potential for data leakage of non-sensitive wiki content.
🎯 Exploit Status
The advisory confirms any user can exploit this, and SQL injection vulnerabilities are commonly weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.10.5 or 14.3-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Upgrade to XWiki 13.10.5 (stable) or 14.3-rc-1 (development). 3. Restart the XWiki application server. 4. Verify the patch is applied.
🧯 If You Can't Patch
- Restrict network access to XWiki instance to trusted users only.
- Implement web application firewall (WAF) rules to block SQL injection patterns in request parameters.
🔍 How to Verify
Check if Vulnerable:
Check XWiki version via Admin → About page or by examining the installation directory. If version is between 6.3-milestone-2 and 13.10.4, or between 14.0 and 14.3-rc-1, it's vulnerable.Check Version:
Check XWiki Admin interface or examine WEB-INF/xwiki.properties file for version information.Verify Fix Applied:
After upgrading, verify version is 13.10.5 or higher (stable) or 14.3-rc-1 or higher (development). Check that the getdocument.vm template no longer uses unsanitized request.sort parameter.📡 Detection & Monitoring
Log Indicators:
- Unusual database query patterns in application logs
- Multiple failed login attempts followed by getdocument requests with unusual parameters
- Requests containing SQL/HQL keywords in sort parameters
Network Indicators:
- HTTP requests to getdocument.vm with suspicious sort parameters containing SQL keywords
SIEM Query:
web.url:*getdocument.vm* AND (web.param:*UNION* OR web.param:*SELECT* OR web.param:*INSERT* OR web.param:*DELETE* OR web.param:*UPDATE*)