CVE-2022-24898: 
Java vulnerability analysis and mitigation

CVE-2022-24898 is a vulnerability in XWiki Commons XML parsing functionality that affects versions 2.7 through versions prior to 12.10.10, 13.4.4, and 13.8-rc-1. The vulnerability was disclosed on April 28, 2022, and allows scripts to access any file accessible to the user running the XWiki application server through XML External Entity (XXE) Injection via the XML script service (GitHub Advisory).

The vulnerability is classified as CWE-611 and received a CVSS v3.1 score of 4.9 (Moderate), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The attack vector is network-based with low complexity, requiring high privileges but no user interaction. The scope is unchanged, with high impact on confidentiality but no impact on integrity or availability (GitHub Advisory).

The vulnerability allows any user with velocity script permission to read arbitrary files, perform directory listing, and execute Server-side request forgery (SSRF) attacks. This could lead to unauthorized access to files accessible by the XWiki application server user (XWiki Jira).

The vulnerability has been patched in versions 12.10.10, 13.4.4, and 13.8RC1. There are no easy workarounds other than upgrading to a patched version and being careful when granting Script rights. The fix involves implementing proper controls for external entity processing in the XML parser (GitHub Advisory).