CVE-2022-36090

org.xwiki.platform:xwiki-platform-oldcore Improper Authorization check for inactive users

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki.

XWiki Platform Old Core es un paquete central para XWiki Platform, una plataforma wiki genérica. En versiones anteriores a 13.1.0.5 y 14.3-rc-1, a algunos recursos les falta una comprobación de usuarios inactivos (aún no activados o deshabilitados) en XWiki, incluido el servicio REST. Esto significa que un usuario deshabilitado puede habilitarse mediante una llamada REST. Del mismo modo, algunos controladores de recursos creados por extensiones no están protegidos por defecto, por lo que un usuario inactivo podría llevar a cabo acciones para dichas extensiones. Este problema ha existido desde al menos la versión 1.1 de XWiki, por ejemplo, configurada con la activación de correo electrónico requerida para nuevos usuarios. Ahora es más crítico para las versiones 11.3-rc-1 y posteriores, ya que los mantenedores proporcionaron la capacidad de deshabilitar a usuarios sin eliminarlos y alentaron a usar esa función. XWiki 14.3-rc-1 y XWiki 13.10.5 contienen un parche

*Credits: N/A

CVSS Scores

NISTv3.1 8.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-09-08 CVE Published
2024-03-31 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-285: Improper Authorization

CAPEC

References (3)

URL	Tag	Source
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgc8-gvcx-9vfx	Third Party Advisory

URL	Date	SRC
https://jira.xwiki.org/browse/XWIKI-19559	2024-08-03

URL	Date	SRC
https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986	2022-09-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 1.1 < 13.10.5 Search vendor "Xwiki" for product "Xwiki" and version " >= 1.1 < 13.10.5"		-		Affected