CVE-2024-21651

Description

### Impact A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. ### Patches This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1. ### Workarounds The workaround is to download [commons-compress 1.24](https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-compress/1.24.0/commons-compress-1.24.0.jar) and replace the one located in XWiki `WEB-INF/lib/` folder. ### References https://jira.xwiki.org/browse/XCOMMONS-2796 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

How to fix CVE-2024-21651

To remediate CVE-2024-21651, upgrade the affected package to a fixed version below.

• —upgrade to 14.10.18 or later

Is CVE-2024-21651 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 14.10, < 14.10.18

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-21651
• PATCHgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4
• WEBjira.xwiki.org/browse/XCOMMONS-2796