What is CVE-2022-24897?

CVE-2022-24897 is a high-severity vulnerability in Xwiki Xwiki-commons, classified under Path Traversal. CVSS score: 7.5/10. Published 2022-05-02.

How severe is CVE-2022-24897?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2022-24897 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Xwiki Xwiki-commons

CVE-2022-24897

APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File A…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.003 (55.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Xwiki Xwiki-commons — versions >= 2.3, < 12.6.7, 12.7-rc-1, < 12.10.3

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

References

github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc (x_refsource_CONFIRM)
github.com/xwiki/xwiki-commons/pull/127 (x_refsource_MISC)
github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8 (x_refsource_MISC)
jira.xwiki.org/browse/XWIKI-5168 (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-24897?: CVE-2022-24897 is a high-severity vulnerability in Xwiki Xwiki-commons, classified under Path Traversal. CVSS score: 7.5/10. Published 2022-05-02.
How severe is CVE-2022-24897?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2022-24897 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.