Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
Name CVE-2022-24897 First vendor Publication 2022-05-02
Vendor Cve Last vendor Modification 2023-07-06

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 7.5
Base Score 7.5 Environmental Score 7.5
impact SubScore 5.9 Temporal Score 7.5
Exploitabality Sub Score 1.6
 
Attack Vector Network Attack Complexity High
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Cvss Base Score 6 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 6.8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24897

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 77

Sources (Detail)

Source Url
CONFIRM https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc
MISC https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e...
https://github.com/xwiki/xwiki-commons/pull/127
https://jira.xwiki.org/browse/XWIKI-5168

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Date Informations
2023-11-30 02:20:44
  • Multiple Updates
2023-11-03 02:27:00
  • Multiple Updates
2023-11-01 02:21:29
  • Multiple Updates
2023-09-30 13:17:45
  • Multiple Updates
2023-08-30 02:17:38
  • Multiple Updates
2023-07-06 17:28:54
  • Multiple Updates
2023-07-01 02:14:20
  • Multiple Updates
2023-05-17 02:12:56
  • Multiple Updates
2023-05-02 02:13:54
  • Multiple Updates
2023-04-27 02:18:02
  • Multiple Updates
2023-04-26 02:16:41
  • Multiple Updates
2023-03-15 02:10:48
  • Multiple Updates
2023-03-14 02:11:03
  • Multiple Updates
2022-12-01 02:05:47
  • Multiple Updates
2022-09-16 02:10:54
  • Multiple Updates
2022-09-14 02:12:05
  • Multiple Updates
2022-06-08 02:03:12
  • Multiple Updates
2022-05-11 21:22:58
  • Multiple Updates
2022-05-03 17:22:53
  • Multiple Updates
2022-05-03 05:22:54
  • First insertion