SCA: security update for org.xwiki.platform:xwiki-platform-office-importer (GHSA-vcvr-v426-3m3m)

high Tenable Self-Hosted Container Security Plugin ID 419276

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.
Starting in version 3.5-milestone-1 and prior to versions 14.10.8 and 15.3-rc-1, triggering the office
converter with a specially crafted file name allows writing the attachment's content to an attacker-
controlled location on the server as long as the Java process has write access to that location. In
particular in the combination with attachment moving, a feature introduced in XWiki 14.0, this is easy to
reproduce but it also possible to reproduce in versions as old as XWiki 3.5 by uploading the attachment
through the REST API which doesn't remove `/` or `\` from the filename. As the mime type of the attachment
doesn't matter for the exploitation, this could e.g., be used to replace the `jar`-file of an extension
which would allow executing arbitrary Java code and thus impact the confidentiality, integrity and
availability of the XWiki installation. This vulnerability has been patched in XWiki 14.10.8 and 15.3RC1.
There are no known workarounds apart from disabling the office converter. (CVE-2023-37913)

See Also

https://github.com/advisories/GHSA-vcvr-v426-3m3m

Plugin Details

Severity: High

ID: 419276

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.07

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-37913

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/25/2023

Vulnerability Publication Date: 10/25/2023

Reference Information

CVE: CVE-2023-37913

cwe: CWE-22