Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.
AnalysisAI
Critical SQL injection vulnerability in XWiki that allows unauthenticated remote attackers to execute arbitrary SQL queries against Oracle databases by exploiting insufficient validation of native SQL functions (DBMS_XMLGEN, DBMS_XMLQUERY) in Hibernate query processing. The vulnerability affects XWiki versions before 16.10.2, 16.4.7, and 15.10.16, with a CVSS score of 9.8 indicating critical severity and complete compromise of confidentiality, integrity, and availability. This is a pre-authentication remote code execution vector with no user interaction required.
Technical ContextAI
The vulnerability exists at the intersection of XWiki's query validation layer and Hibernate ORM's native function support. XWiki uses Hibernate for database abstraction, which permits native SQL functions in HQL (Hibernate Query Language) queries. The XWiki query validator fails to properly sanitize or blocklist Oracle-specific functions like DBMS_XMLGEN and DBMS_XMLQUERY, which are privileged PL/SQL packages that can be abused to execute arbitrary SQL. This is rooted in CWE-89 (SQL Injection) where user-controllable input reaches SQL execution contexts without proper parameterization or validation. The root cause is inadequate input validation combined with overly permissive Hibernate function resolution, allowing attackers to bypass intended security controls by leveraging database-native capabilities that the validator does not account for.
RemediationAI
Immediate patching is required: upgrade to XWiki 16.10.2, 16.4.7, or 15.10.16 depending on your current version line. For version 15.x: upgrade to 15.10.16 or later. For version 16.4.x: upgrade to 16.4.7 or later. For version 16.10.x: upgrade to 16.10.2 or later. Interim mitigations pending patch deployment: (1) Restrict network access to XWiki instances using firewall rules or WAF rules that block requests containing suspicious SQL function names (DBMS_XMLGEN, DBMS_XMLQUERY); (2) implement database-level access controls to limit SQL execution capabilities of the XWiki database user account; (3) disable or restrict use of Hibernate native query features if not required by application logic; (4) monitor database logs for suspicious function calls. However, these mitigations are not a substitute for patching and should only be temporary measures.
XWiki Platform allows unauthenticated remote code execution through the SolrSearch endpoint, enabling guests to execute
XWiki Platform prior to specific patched versions contains a CVSS 10.0 remote code execution vulnerability through the u
XWiki is a generic wiki platform. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical
XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl
XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical
XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl
A remote code execution vulnerability in XWiki (CVSS 8.8). Risk factors: public PoC available. Vendor patch is available
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical
XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical
Same weakness CWE-89 – SQL Injection
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2024-54677
GHSA-prwh-7838-xf82