CVE-2024-31982: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform, contains a critical vulnerability (CVE-2024-31982) that affects versions from 2.4-milestone-1 up to versions 14.10.20, 15.5.4, and 15.10-rc-1. The vulnerability allows remote code execution through the database search functionality, which is accessible by default to all users, including unauthenticated visitors (GitHub Advisory).

The vulnerability exists in XWiki's database search functionality where the search text input is not properly sanitized, allowing for code injection. The issue has a CVSS v3.1 base score of 10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating the highest possible severity. The vulnerability is classified as CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) (GitHub Advisory, NVD).

The vulnerability impacts the confidentiality, integrity, and availability of the entire XWiki installation. Any visitor of a public wiki or user of a closed wiki can execute arbitrary code on the system, as the database search is accessible by default to all users (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.20, 15.5.4, and 15.10RC1. For users unable to update immediately, two workarounds are available: manually applying the patch to the page Main.DatabaseSearch, or deleting the page if database search is not explicitly used, as it is not the default search interface of XWiki (GitHub Advisory).