SYNC-2023-042301 - Directory Traversal
Severity: Low2023-04-07
Abstract
A directory traversal vulnerability in Oxygen XML Web Author before 25.0.0.3 build 2023021715 and Oxygen Content Fusion before 5.0.3 build 2023022015 allows an attacker to read files from a WEB-INF directory via a crafted HTTP request. (XML Web Author 24.1.0.3 build 2023021714 and 23.1.1.4 build 2023021715 are also fixed versions.)
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen Content Fusion v5.0.2 and older | Medium | Oxygen Content Fusion 5.0.3 build 2023022015 |
| Oxygen XML Web Author v25.0.0.2 and older | Medium | Oxygen
XML Web Author 25.0.0.3 build 2023021715 Oxygen XML Web Author 24.1.0.3 build 2023021714 Oxygen XML Web Author 23.1.1.4 build 2023021715 |
Mitigation
Oxygen XML Web Author
If for whatever reason you cannot secure your Oxygen XML Web Author service by updating it using the kits above-mentioned, as an alternate solution you can disable caching in Tomcat:
- locate the context.xml file that is usually located in tomcat/conf/ folder
- edit the context.xml file and add the following code snippet in the root element: <Resources cachingAllowed="false"/>
- restart the Tomcat server
Oxygen Content Fusion
If for whatever reason you cannot secure your Oxygen Content Fusion by updating it using the kit above-mentioned, as a security workaround you can disable caching in Tomcat for the Web Author service by following the below steps for Content Fusion 5.0:
- open a shell (SSH) inside the server where Content Fusion is installed and run
the following commands:
- export VERSION=5.0
- sudo docker tag oxygenxml/webreviewer-webauthor:v$VERSION oxygenxml/webreviewer-webauthor:v$VERSION-backup
- sudo docker create --name tmp oxygenxml/webreviewer-webauthor:v$VERSION
- sudo docker cp tmp:/tomcat/conf/context.xml context-to-fix.xml
- sed -i 's/<\/Context>/<Resources cachingAllowed="false"\/><\/Context>/g' context-to-fix.xml
- sudo docker cp context-to-fix.xml tmp:/tomcat/conf/context.xml
- sudo docker commit tmp oxygenxml/webreviewer-webauthor:v$VERSION
- sudo docker rm tmp
- rm -rf context-to-fix.xml
- restart the server, see this documentation topic.
Note that the installation of the kit is the preferred solution, and the workaround should only be considered as a temporary measure until the kits can be used.
Detail
SYNC-2023-042301
Severity: Medium
CVSS Score: 5.3
Using special requests, a remote attacker may read files from WEB-INF directory of Oxygen XML Web Author application. However, by default, this directory does not contain sensitive information so the severity of this issue should be seen as low.
Revision History
2023-04-27 CVE-2023-26559 CVE ID has been assigned for this vulnerability.
