Low severityNVD Advisory· Published May 25, 2022· Updated Apr 23, 2025
Path Traversal in XWiki Platform
CVE-2022-29253
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workaround for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 8.3-rc-1, < 13.10.3 | 13.10.3 |
Affected products
1- Range: >= 8.3-rc-1, < 13.10.3
Patches
14917c8f35571XWIKI-19349: Bad handling of classloader templates path resolution
2 files changed · +16 −5
xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/internal/skin/AbstractResourceSkin.java+1 −1 modified@@ -142,7 +142,7 @@ private String getSkinResourcePath(String resource) String skinFolder = getSkinFolder(); String resourcePath = skinFolder + resource; - // Prevent inclusion of templates from other directories + // Prevent access to resources from other directories Path normalizedResource = Paths.get(resourcePath).normalize(); // Protect against directory attacks. if (!normalizedResource.startsWith(skinFolder)) {
xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/internal/template/InternalTemplateManager.java+15 −4 modified@@ -24,6 +24,8 @@ import java.lang.reflect.Type; import java.net.URL; import java.nio.charset.StandardCharsets; +import java.nio.file.Path; +import java.nio.file.Paths; import java.util.AbstractSet; import java.util.Arrays; import java.util.Collections; @@ -896,14 +898,23 @@ private EnvironmentTemplate getFileSystemTemplate(String templateName) : null; } - private Template getClassloaderTemplate(String suffixPath, String templateName) + private Template getClassloaderTemplate(String prefixPath, String templateName) { - return getClassloaderTemplate(Thread.currentThread().getContextClassLoader(), suffixPath, templateName); + return getClassloaderTemplate(Thread.currentThread().getContextClassLoader(), prefixPath, templateName); } - private Template getClassloaderTemplate(ClassLoader classloader, String suffixPath, String templateName) + private Template getClassloaderTemplate(ClassLoader classloader, String prefixPath, String templateName) { - String templatePath = suffixPath + templateName; + String templatePath = prefixPath + templateName; + + // Prevent access to resources from other directories + Path normalizedResource = Paths.get(templatePath).normalize(); + // Protect against directory attacks. + if (!normalizedResource.startsWith(prefixPath)) { + this.logger.warn("Direct access to skin file [{}] refused. Possible break-in attempt!", normalizedResource); + + return null; + } URL url = classloader.getResource(templatePath);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9qrp-h7fw-42hgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29253ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-9qrp-h7fw-42hgghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-19349ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.