CVE-2024-55876
📋 TL;DR
This vulnerability allows any authenticated user on the main XWiki wiki to execute scheduling operations on subwikis without proper authorization. It affects XWiki Platform instances with subwikis where the Job Scheduler is enabled. The issue stems from missing authorization checks for cross-wiki scheduling operations.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could manipulate job scheduling on subwikis to disrupt operations, execute unauthorized tasks, or potentially escalate privileges if job execution leads to code execution.
Likely Case
Unauthorized users could trigger, pause, or manipulate scheduled jobs on subwikis, causing service disruption or unintended job execution.
If Mitigated
With proper access controls and network segmentation, impact would be limited to job scheduling manipulation within the affected subwiki scope.
🎯 Exploit Status
Exploitation requires authenticated access to the main wiki and knowledge of subwiki structure. The vulnerability is trivially exploitable via the web interface as described in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.10.9 or 16.3.0
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cwq6-mjmx-47p6
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Upgrade to XWiki 15.10.9 (for 15.x branch) or 16.3.0 (for 16.x branch). 3. Restart the application server. 4. Verify the fix by testing the reproduction steps.
🔧 Temporary Workarounds
Manual ACL Modification
allEdit the objects on Scheduler.WebPreferences in each subwiki to restrict scheduling operations to authorized users only.
Edit Scheduler.WebPreferences document objects to match the patch: https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331
🧯 If You Can't Patch
- Disable Job Scheduler on all subwikis if not required
- Implement network-level access controls to restrict main wiki user access to subwiki administration interfaces
🔍 How to Verify
Check if Vulnerable:
As a user on the main wiki without special rights, navigate to a subwiki's Scheduler.WebHome document and attempt to trigger any job. If successful, the instance is vulnerable.Check Version:
Check XWiki version in Administration → About section or via REST APIVerify Fix Applied:
After patching, repeat the vulnerability test. Job scheduling operations should be properly restricted to authorized users only.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Scheduler.WebHome in subwikis
- Job scheduling operations from unexpected users or IPs
Network Indicators:
- HTTP requests to subwiki paths containing 'Scheduler' from main wiki users
SIEM Query:
web_access_logs WHERE (uri CONTAINS 'Scheduler' AND uri CONTAINS 'subwiki') AND user NOT IN authorized_users