SCA: security update for org.xwiki.platform:xwiki-platform-rendering-parser (GHSA-52vf-hvv3-98h7)

medium Tenable Self-Hosted Container Security Plugin ID 410519

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform is a generic wiki platform. Starting in version 6.0, users with write rights can insert
well-formed content that is not handled well by the parser. As a consequence, some pages becomes unusable,
including the user index (if the page containing the faulty content is a user page) and the page index.
Note that on the page, the normal UI is completely missing and it is not possible to open the editor
directly to revert the change as the stack overflow is already triggered while getting the title of the
document. This means that it is quite difficult to remove this content once inserted. This has been
patched in XWiki 13.10.10, 14.4.6, and 14.9-rc-1. A temporary workaround to avoid Stack Overflow errors is
to increase the memory allocated to the stack by using the `-Xss` JVM parameter (e.g., `-Xss32m`). This
should allow the parser to pass and to fix the faulty content. The consequences for other aspects of the
system (e.g., performance) are unknown, and this workaround should be only be used as a temporary
solution. The workaround does not prevent the issue occurring again with other content. Consequently, it
is strongly advised to upgrade to a version where the issue has been patched. (CVE-2023-26479)

See Also

https://github.com/advisories/GHSA-52vf-hvv3-98h7

Plugin Details

Severity: Medium

ID: 410519

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2023-26479

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/3/2023

Vulnerability Publication Date: 3/2/2023

Reference Information

CVE: CVE-2023-26479

cwe: CWE-755