High severityNVD Advisory· Published Jan 8, 2024· Updated Jun 3, 2025
XWiki Denial of Service attack through attachments
CVE-2024-21651
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-distribution-warMaven | >= 14.10, < 14.10.18 | 14.10.18 |
org.xwiki.platform:xwiki-platform-distribution-warMaven | >= 15.0-rc-1, < 15.5.3 | 15.5.3 |
org.xwiki.platform:xwiki-platform-distribution-warMaven | >= 15.6-rc-1, < 15.8-rc-1 | 15.8-rc-1 |
Affected products
1- Range: >= 14.10, < 14.10.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-8959-rfxh-r4j4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21651ghsaADVISORY
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XCOMMONS-2796ghsax_refsource_MISCWEB
- search.maven.org/remotecontentghsaWEB
News mentions
0No linked articles in our index yet.