Platform
java
Component
xwiki-platform
Fixed in
3.1.1
15.0.1
15.6.1
CVE-2024-31986 is a critical Remote Code Execution (RCE) vulnerability discovered in XWiki Platform. This flaw allows an attacker to execute arbitrary code on the server by exploiting a crafted document reference and an XWiki.SchedulerJobClass XObject. The vulnerability impacts versions 3.1 through 15.5.4, and a fix is available in XWiki 15.5.5 and later. Applying the provided patch manually is a temporary workaround.
Successful exploitation of CVE-2024-31986 allows an attacker to execute arbitrary code on the server hosting the XWiki Platform instance. This can lead to complete system compromise, including data exfiltration, modification, and denial of service. The attack is triggered when an administrator visits the scheduler page or when the scheduler page is referenced, such as through an image in a wiki page comment. Given the potential for code execution, the blast radius is significant, potentially impacting all data and services hosted on the affected server. This vulnerability shares similarities with other document-based RCE exploits, where malicious content can be injected to trigger code execution.
CVE-2024-31986 was publicly disclosed on April 10, 2024. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). Currently, there are no reports of active exploitation in the wild, but the availability of a public description and the ease of exploitation increase the risk. It is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Exploit Status
EPSS
7.90% (92% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-31986 is to upgrade XWiki Platform to version 15.5.5 or later. If immediate upgrading is not possible, a manual patch can be applied by modifying the Scheduler.WebHome page. This workaround involves carefully reviewing and modifying the code to prevent the malicious XObject execution. Consider implementing strict input validation and sanitization for all user-supplied content within XWiki to reduce the attack surface. Monitor XWiki logs for suspicious activity, particularly related to document creation and access patterns. After upgrade, confirm the fix by attempting to create a document with a crafted reference and verifying that the scheduler page visit does not trigger code execution.
Update XWiki Platform to version 14.10.19, 15.5.5, or 15.9, or later. As an alternative, apply the patch manually by modifying the `Scheduler.WebHome` page.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-31986 is a critical Remote Code Execution vulnerability in XWiki Platform versions 3.1 through 15.5.4, allowing attackers to execute arbitrary code on the server.
If you are running XWiki Platform versions 3.1 through 15.5.4, you are potentially affected by this vulnerability. Upgrade to 15.5.5 or later to mitigate the risk.
Upgrade XWiki Platform to version 15.5.5 or later. As a temporary workaround, apply the manual patch by modifying the Scheduler.WebHome page.
While there are currently no confirmed reports of active exploitation, the vulnerability's severity and public disclosure increase the likelihood of exploitation.
Refer to the official XWiki security advisory for detailed information and updates: [https://xwiki.com/xwiki/bin/view/Main/SecurityAdvisories](https://xwiki.com/xwiki/bin/view/Main/SecurityAdvisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.