Exposure of Resource to Wrong Sphere
CVE-2022-24897
Summary
APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. In versions prior to 12.6.7 and 12.7-rc-1 prior to 12.10.3, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- HIGH
CWE-668 - Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
References
Advisory Timeline
- Published