CVE-2022-29253

Description

### Impact One can ask for any file located in the classloader using the template API and a path with ".." in it. For example ``` {{template name="../xwiki.hbm.xml"/}} ``` To our knownledge none of the available files of the classloader in XWiki Standard contain any strong confidential data, hence the low confidentiality value of this advisory. ### Patches The issue is patched in versions 14.0 and 13.10.3. ### Workarounds There's no easy workaround for this issue, administrators should upgrade their wiki. ### References * https://jira.xwiki.org/browse/XWIKI-19349 * https://github.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security mailing list](mailto:security@xwiki.org)

How to fix CVE-2022-29253

To remediate CVE-2022-29253, upgrade the affected package to a fixed version below.

• —upgrade to 13.10.3 or later

Is CVE-2022-29253 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 8.3-rc-1, < 13.10.3

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-29253
• PATCHgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2
• WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-9qrp-h7fw-42hg