ghsa-599v-w48h-rjrm
Vulnerability from github
Published
2022-09-16 17:39
Modified
2022-09-16 17:39
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
XWiki Platform Web Templates vulnerable to Missing Authorization, Exposure of Private Personal Information to Unauthorized Actor
Details

Impact

Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties.

Patches

The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties.

Workarounds

The template file suggest.vm can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though.

References

  • https://jira.xwiki.org/browse/XWIKI-18849

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at security mailing-list

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-web-templates"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3"
            },
            {
              "fixed": "13.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0"
            },
            {
              "fixed": "14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T17:39:46Z",
    "nvd_published_at": "2022-09-08T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThrough the suggestion feature, string and list properties of objects the user shouldn\u0027t have access to can be accessed. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on [private wikis](https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Access%20Rights/#HPrivateWiki) at least for string properties.\n\n### Patches\nThe issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties.\n\n### Workarounds\nThe template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been [overridden](https://extensions.xwiki.org/xwiki/bin/view/Extension/Skin%20Application#HHowtooverrideatemplate), in which case the overridden template should be patched, too. This might need adjustments for older versions, though.\n\n### References\n* https://jira.xwiki.org/browse/XWIKI-18849\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org)\n* Email us at [security mailing-list](mailto:security@xwiki.com)\n",
  "id": "GHSA-599v-w48h-rjrm",
  "modified": "2022-09-16T17:39:46Z",
  "published": "2022-09-16T17:39:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-599v-w48h-rjrm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36091"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-18849"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform Web Templates vulnerable to Missing Authorization, Exposure of Private Personal Information to Unauthorized Actor"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.