GMS-2022-1102: Arbitrary filesystem write access from velocity.

April 28, 2022

The velocity scripts is not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Now writing an attacking script in velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File.

References

github.com/advisories/GHSA-cvx5-m8vg-vxgc
github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc
jira.xwiki.org/browse/XWIKI-5168

Code Behaviors & Features

Detect and mitigate GMS-2022-1102 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →