EUVD-2024-54677
GHSA-prwh-7838-xf82
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.
Analysis
Critical SQL injection vulnerability in XWiki that allows unauthenticated remote attackers to execute arbitrary SQL queries against Oracle databases by exploiting insufficient validation of native SQL functions (DBMS_XMLGEN, DBMS_XMLQUERY) in Hibernate query processing. The vulnerability affects XWiki versions before 16.10.2, 16.4.7, and 15.10.16, with a CVSS score of 9.8 indicating critical severity and complete compromise of confidentiality, integrity, and availability. This is a pre-authentication remote code execution vector with no user interaction required.
Technical Context
The vulnerability exists at the intersection of XWiki's query validation layer and Hibernate ORM's native function support. XWiki uses Hibernate for database abstraction, which permits native SQL functions in HQL (Hibernate Query Language) queries. The XWiki query validator fails to properly sanitize or blocklist Oracle-specific functions like DBMS_XMLGEN and DBMS_XMLQUERY, which are privileged PL/SQL packages that can be abused to execute arbitrary SQL. This is rooted in CWE-89 (SQL Injection) where user-controllable input reaches SQL execution contexts without proper parameterization or validation. The root cause is inadequate input validation combined with overly permissive Hibernate function resolution, allowing attackers to bypass intended security controls by leveraging database-native capabilities that the validator does not account for.
Affected Products
XWiki (all deployments using Oracle databases) versions: 15.x before 15.10.16, 16.4.x before 16.4.7, 16.10.x before 16.10.2. CPE identifiers: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* (all versions prior to patched releases). The vulnerability is specific to Oracle database backends; PostgreSQL, MySQL, and other database backends may have different exploitation vectors or may not be affected if they lack equivalent system packages. Enterprise and community editions of XWiki are affected equally. Affected configurations include any XWiki instance configured with an Oracle database connection and exposed to untrusted network access.
Remediation
Immediate patching is required: upgrade to XWiki 16.10.2, 16.4.7, or 15.10.16 depending on your current version line. For version 15.x: upgrade to 15.10.16 or later. For version 16.4.x: upgrade to 16.4.7 or later. For version 16.10.x: upgrade to 16.10.2 or later. Interim mitigations pending patch deployment: (1) Restrict network access to XWiki instances using firewall rules or WAF rules that block requests containing suspicious SQL function names (DBMS_XMLGEN, DBMS_XMLQUERY); (2) implement database-level access controls to limit SQL execution capabilities of the XWiki database user account; (3) disable or restrict use of Hibernate native query features if not required by application logic; (4) monitor database logs for suspicious function calls. However, these mitigations are not a substitute for patching and should only be temporary measures.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today