Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-24897

HIGH
Published 2022-05-02T21:49:17.000Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-24897. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
7.5
/10
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.004
probability
of exploitation in the wild

There is a 0.4% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.603
Higher than 60.3% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Description

APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

xwiki

xwiki-commons

Affected Versions:

>= 2.3, < 12.6.7 12.7-rc-1, < 12.10.3

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Arbitrary filesystem write access from velocity.

GHSA-cvx5-m8vg-vxgc

Advisory Details

### Impact The velocity scripts is not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Now writing an attacking script in velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. ### Patches The problem has been patched on versions 12.6.7, 12.10.3 and 13.0RC1. ### Workarounds There's no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights. ### References https://jira.xwiki.org/browse/XWIKI-5168 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [XWiki Security mailing-list](mailto:[email protected])

Affected Packages

Maven org.xwiki.commons:xwiki-commons-velocity
ECOSYSTEM: ≥2.3.0 <12.6.7
Maven org.xwiki.commons:xwiki-commons-velocity
ECOSYSTEM: ≥12.7.0 <12.10.3

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

WEB https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-24897
WEB https://github.com/xwiki/xwiki-commons/pull/127
WEB https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8
PACKAGE https://github.com/xwiki/xwiki-commons
WEB https://jira.xwiki.org/browse/XWIKI-5168

Advisory provided by GitHub Security Advisory Database. Published: April 28, 2022, Modified: April 28, 2022

References

https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc
https://github.com/xwiki/xwiki-commons/pull/127
https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8
https://jira.xwiki.org/browse/XWIKI-5168
Published: 2022-05-02T21:49:17.000Z
Last Modified: 2025-04-22T18:02:07.004Z
Copied to clipboard!