ghsa-f69v-xrj8-rhxf
Vulnerability from github
Published
2025-04-23 14:42
Modified
2025-04-23 19:15
Severity ?
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
Details

Impact

It is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled.

Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.

The vulnerability may be tested in a default installation of XWIki Standard Flavor, including using the official Docker containers.

An example query, which leads to SQL injection with MySQL/MariaDB backend is shown below:

time curl "http://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20doc.name=length('a')*org.apache.logging.log4j.util.Chars.SPACE%20or%201%3C%3E%271%5C%27%27%20union%20select%201,2,3,sleep(10)%20%23%27&type=hql&distinct=0"

When executed, the response from the server will come after a delay of 10 extra seconds, indicating successful execution of the injected SQL statement.

An example of a query for the PostgreSQL database backend is shown below:

curl "https://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20%24%24='%24%24=concat(%20chr(%2061%20),(chr(%2039%20))%20)%20;select%201%20--%20comment'&type=hql&distinct=0"

Both requests employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections.

Patches

This has been patched in 16.10.1, 16.4.6 and 15.10.16.

Workarounds

There is no known workaround, other than upgrading XWiki.

References

https://jira.xwiki.org/browse/XWIKI-22691

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

Sergey Anufrienko from Kaspersky ICS-CERT vulnerability research team reported this vulnerability.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8"
            },
            {
              "fixed": "15.10.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0-rc-1"
            },
            {
              "fixed": "16.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.5.0-rc-1"
            },
            {
              "fixed": "16.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-23T14:42:42Z",
    "nvd_published_at": "2025-04-23T16:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nIt is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when \"Prevent unregistered users from viewing pages, regardless of the page rights\" and \"Prevent unregistered users from editing pages, regardless of the page rights\" options are enabled.\n\nDepending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.\n\nThe vulnerability may be tested in a default installation of XWIki Standard Flavor, including using the official Docker containers.\n\nAn example query, which leads to SQL injection with MySQL/MariaDB backend is shown below:\n\n```\ntime curl \"http://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20doc.name=length(\u0027a\u0027)*org.apache.logging.log4j.util.Chars.SPACE%20or%201%3C%3E%271%5C%27%27%20union%20select%201,2,3,sleep(10)%20%23%27\u0026type=hql\u0026distinct=0\"\n```\n\nWhen executed, the response from the server will come after a delay of 10 extra seconds, indicating successful execution of the injected SQL statement.\n\nAn example of a query for the PostgreSQL database backend is shown below:\n\n```\ncurl \"https://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20%24%24=\u0027%24%24=concat(%20chr(%2061%20),(chr(%2039%20))%20)%20;select%201%20--%20comment\u0027\u0026type=hql\u0026distinct=0\"\n```\n\nBoth requests employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections.\n\n### Patches\n\nThis has been patched in 16.10.1, 16.4.6 and 15.10.16.\n\n### Workarounds\n\nThere is no known workaround, other than upgrading XWiki.\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-22691\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nSergey Anufrienko from Kaspersky ICS-CERT vulnerability research team reported this vulnerability.",
  "id": "GHSA-f69v-xrj8-rhxf",
  "modified": "2025-04-23T19:15:38Z",
  "published": "2025-04-23T14:42:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f69v-xrj8-rhxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/5c11a874bd24a581f534d283186e209bbccd8113"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-22691"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.