CVE-2024-21651: 
Java vulnerability analysis and mitigation

CVE-2024-21651 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability was discovered and disclosed on January 8, 2024. The issue affects XWiki versions from 14.10 up to (excluding) 14.10.18, versions from 15.5 up to (excluding) 15.5.3, and versions from 15.6 up to (excluding) 15.8 (GitHub Advisory).

The vulnerability is classified as an Uncontrolled Resource Consumption (CWE-400) issue. A user with the ability to attach files to a page can exploit this vulnerability by uploading a malformed TAR file with manipulated file modification times headers. When this file is parsed by Tika, it can trigger excessive CPU consumption. The vulnerability has received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The successful exploitation of this vulnerability can result in a denial of service condition through CPU consumption, potentially affecting the availability of the XWiki platform (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.18, 15.5.3, and 15.8 RC1. As a temporary workaround, users can download commons-compress 1.24 and replace the existing version in the XWiki WEB-INF/lib/ folder (GitHub Advisory, XWiki Jira).