XWiki Platform SQL Injection Vulnerability in Document Search API

A SQL injection vulnerability has been identified in XWiki Platform versions 17.0.0-rc1 to 17.2.2, as well as in versions 16.10.5 and earlier. This vulnerability allows attackers to execute arbitrary SQL queries on Oracle databases by leveraging the 'DBMS_XMLGEN' or 'DBMS_XMLQUERY' functions. The issue arises because the 'XWiki#searchDocuments' APIs pass queries directly to Hibernate without proper sanitization. Although these APIs impose a specific SELECT clause, attackers can inject malicious code through Hibernate Query Language (HQL) functions in other query parts, such as the WHERE clause.

Impact

Exploitation of this vulnerability allows for arbitrary SQL query execution on the underlying Oracle database, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, use the 'XWiki#searchDocuments' API with a crafted HQL WHERE clause that includes SQL injection payloads. The injected payloads can exploit the query execution by, for example, manipulating the SQL query to access or modify unauthorized data.

Remediation

Users can upgrade to XWiki Platform versions 16.10.6 or 17.3.0-rc-1, both of which include the necessary patch to address this vulnerability.