cnvd - cnvd-2022-13405

CNVD-2022-13405

Vulnerability from cnvd - Published: 2022-02-23

Title

Xwiki Platform授权问题漏洞（CNVD-2022-13405）

Description

Xwiki Platform是法国Xwiki公司的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在授权问题漏洞，该漏洞源于即使wiki对访客关闭也可通过使用忘记密码表单来猜测用户是否在wiki上有账户，攻击者可利用该漏洞猜解存在的用户。

Severity

中

Patch Name

Xwiki Platform授权问题漏洞（CNVD-2022-13405）的补丁

Patch Description

Xwiki Platform是法国Xwiki公司的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在授权问题漏洞，该漏洞源于即使wiki对访客关闭也可通过使用忘记密码表单来猜测用户是否在wiki上有账户，攻击者可利用该漏洞猜解存在的用户。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f

Reference

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f

Impacted products

Name
['XWiki XWiki Platform <12.10.9', 'XWiki XWiki Platform <13.4.1', 'XWiki XWiki Platform <13.6RC1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-23619",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-23619"
    }
  },
  "description": "Xwiki Platform\u662f\u6cd5\u56fdXwiki\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u521b\u5efaWeb\u534f\u4f5c\u5e94\u7528\u7a0b\u5e8f\u7684Wiki\u5e73\u53f0\u3002\n\nXWiki Platform\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5373\u4f7fwiki\u5bf9\u8bbf\u5ba2\u5173\u95ed\u4e5f\u53ef\u901a\u8fc7\u4f7f\u7528\u5fd8\u8bb0\u5bc6\u7801\u8868\u5355\u6765\u731c\u6d4b\u7528\u6237\u662f\u5426\u5728wiki\u4e0a\u6709\u8d26\u6237\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u731c\u89e3\u5b58\u5728\u7684\u7528\u6237\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-13405",
  "openTime": "2022-02-23",
  "patchDescription": "Xwiki Platform\u662f\u6cd5\u56fdXwiki\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u521b\u5efaWeb\u534f\u4f5c\u5e94\u7528\u7a0b\u5e8f\u7684Wiki\u5e73\u53f0\u3002\r\n\r\nXWiki Platform\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5373\u4f7fwiki\u5bf9\u8bbf\u5ba2\u5173\u95ed\u4e5f\u53ef\u901a\u8fc7\u4f7f\u7528\u5fd8\u8bb0\u5bc6\u7801\u8868\u5355\u6765\u731c\u6d4b\u7528\u6237\u662f\u5426\u5728wiki\u4e0a\u6709\u8d26\u6237\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u731c\u89e3\u5b58\u5728\u7684\u7528\u6237\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Xwiki Platform\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-13405\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "XWiki XWiki Platform \u003c12.10.9",
      "XWiki XWiki Platform \u003c13.4.1",
      "XWiki XWiki Platform \u003c13.6RC1"
    ]
  },
  "referenceLink": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f",
  "serverity": "\u4e2d",
  "submitTime": "2022-02-13",
  "title": "Xwiki Platform\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-13405\uff09"
}

CVE-2022-23619 (GCVE-0-2022-23619)

Vulnerability from cvelistv5 – Published: 2022-02-09 21:10 – Updated: 2025-04-23 19:06

Title

Information exposure in xwiki-platform

Summary

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advised yo update. There are no known workarounds for this issue.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/d8…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-18787	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 13.6.0, < 13.6RC1 Affected: >= 13.0.0, < 13.4.1 Affected: < 12.10.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:51:45.542Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jira.xwiki.org/browse/XWIKI-18787"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23619",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:57:37.274388Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:06:04.533Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 13.6.0, \u003c 13.6RC1"
            },
            {
              "status": "affected",
              "version": "\u003e= 13.0.0, \u003c 13.4.1"
            },
            {
              "status": "affected",
              "version": "\u003c 12.10.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it\u0027s possible to guess if a user has an account on the wiki by using the \"Forgot your password\" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advised yo update. There are no known workarounds for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-09T21:10:10.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-18787"
        }
      ],
      "source": {
        "advisory": "GHSA-35fg-hjcr-j65f",
        "discovery": "UNKNOWN"
      },
      "title": "Information exposure in xwiki-platform",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-23619",
          "STATE": "PUBLIC",
          "TITLE": "Information exposure in xwiki-platform"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "xwiki-platform",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 13.6.0, \u003c 13.6RC1"
                          },
                          {
                            "version_value": "\u003e= 13.0.0, \u003c 13.4.1"
                          },
                          {
                            "version_value": "\u003c 12.10.9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "xwiki"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it\u0027s possible to guess if a user has an account on the wiki by using the \"Forgot your password\" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advised yo update. There are no known workarounds for this issue."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f",
              "refsource": "CONFIRM",
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494",
              "refsource": "MISC",
              "url": "https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-18787",
              "refsource": "MISC",
              "url": "https://jira.xwiki.org/browse/XWIKI-18787"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-35fg-hjcr-j65f",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23619",
    "datePublished": "2022-02-09T21:10:11.000Z",
    "dateReserved": "2022-01-19T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:06:04.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-13405

CVE-2022-23619 (GCVE-0-2022-23619)

Tags

Sightings

Nomenclature