CVE-2023-37913: 
Java vulnerability analysis and mitigation

CVE-2023-37913 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability was discovered in version 3.5-milestone-1 and affects versions prior to 14.10.8 and 15.3-rc-1. The vulnerability allows attackers with an account to write files to arbitrary locations on the server through the office converter functionality (GitHub Advisory, NVD).

The vulnerability stems from improper handling of file names in the office converter component. When triggering the office converter with a specially crafted file name containing path traversal sequences (../ or ), an attacker can write the attachment's content to any location on the server where the Java process has write access. This vulnerability can be exploited through two methods: either using the attachment moving feature (introduced in XWiki 14.0) or by uploading the attachment through the REST API in older versions. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) (GitHub Advisory).

The vulnerability can be exploited to write files to arbitrary locations on the server, potentially allowing attackers to replace critical system files or extension JAR files. This could lead to arbitrary Java code execution, impacting the confidentiality, integrity, and availability of the entire XWiki installation. The attack is particularly dangerous as it can be executed by any user with a basic account (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.8 and 15.3RC1. There are no known workarounds apart from disabling the office converter functionality. The attack is not possible when the office conversion process is not running (GitHub Advisory).