Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-8959-rfxh-r4j4

GitHub Security Advisory

XWiki vulnerable to Denial of Service attack through attachments

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact

A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.

### Patches
This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.

### Workarounds

The workaround is to download [commons-compress 1.24](https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-compress/1.24.0/commons-compress-1.24.0.jar) and replace the one located in XWiki `WEB-INF/lib/` folder.

### References

https://jira.xwiki.org/browse/XCOMMONS-2796

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-distribution-war
Affected versions: 14.10 (fixed in 14.10.18)
Maven org.xwiki.platform:xwiki-platform-distribution-war
Affected versions: 15.0-rc-1 (fixed in 15.5.3)
Maven org.xwiki.platform:xwiki-platform-distribution-war
Affected versions: 15.6-rc-1 (fixed in 15.8-rc-1)

Related CVEs

CVE-2024-21651

Key Information

GHSA ID
GHSA-8959-rfxh-r4j4
Published
January 8, 2024 4:39 PM
Last Modified
January 9, 2024 4:12 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-distribution-war
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.