XWiki JIRA Extension XXE Vulnerability Allowing Local File Disclosure

A vulnerability exists in the XWiki JIRA extension, specifically in versions 4.2 and later, prior to 8.6.5. This vulnerability allows any logged-in XWiki user to exploit the JIRA macro by inserting a fake JIRA URL that returns an XML document with a DOCTYPE referencing a local file on the XWiki server. The content of this file can then be displayed in one of the JIRA response fields, such as the summary or description. The issue arises from the JIRA macro's failure to properly validate or sanitize the URL input, enabling the injection of malicious XML that can be processed by the JIRA integration.

Impact

Exploitation of this vulnerability leads to a data leak through a XML External Entity (XXE) attack, allowing access to local files on the XWiki server.

Reproduction

To reproduce this vulnerability, a logged-in user can edit their user profile wiki page and use the JIRA macro. By specifying a fake JIRA URL that returns an XML response with a DOCTYPE pointing to a local file, such as '/etc/passwd', the contents of that file can be extracted and displayed in the JIRA response.

Remediation

Users can upgrade to XWiki JIRA Extension version 8.6.5 or later, where this vulnerability has been patched.