CVE-2024-21651
published 2024-01-09CVE-2024-21651: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a…
PriorityP432medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.64%
46.0th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 14.10 < 14.10.18 | 14.10.18 |
| xwiki | xwiki | >= 15.5 < 15.5.3 | 15.5.3 |
| xwiki | xwiki | >= 15.6 < 15.8 | 15.8 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki vulnerable to Denial of Service attack through attachments
osv·2024-01-08
CVE-2024-21651 [HIGH] XWiki vulnerable to Denial of Service attack through attachments
XWiki vulnerable to Denial of Service attack through attachments
### Impact
A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.
### Patches
This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
### Workarounds
The workaround is to download [commons-compress 1.24](https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-compress/1.24.0/commons-compress-1.24.0.jar) and replace the one located in XWiki `WEB-INF/lib/` folder.
### References
https://jira.xwiki.org/browse/XCOMMONS-2796
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki
GHSA
XWiki vulnerable to Denial of Service attack through attachments
ghsa·2024-01-08
CVE-2024-21651 [HIGH] CWE-400 XWiki vulnerable to Denial of Service attack through attachments
XWiki vulnerable to Denial of Service attack through attachments
### Impact
A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.
### Patches
This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
### Workarounds
The workaround is to download [commons-compress 1.24](https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-compress/1.24.0/commons-compress-1.24.0.jar) and replace the one located in XWiki `WEB-INF/lib/` folder.
### References
https://jira.xwiki.org/browse/XCOMMONS-2796
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-01-09
Published