CVE-2022-31167 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2022-31167

CVE-2022-31167

September 07, 2022

XWiki Platform Security Parent POM contains the security APIs for XWiki Platform, a generic wiki platform. Starting with version 5.0 and prior to 12.10.11, 13.10.1, and 13.4.6, a bug in the security cache stores rules associated to document Page1.Page2 and space Page1.Page2 in the same cache entry. That means that it's possible to overwrite the rights of a space or a document by creating the page of the space with the same name and checking the right of the new one first so that they end up in the security cache and are used for the other too. The problem has been patched in XWiki 12.10.11, 13.10.1, and 13.4.6. There are no known workarounds.

Related Resources (6)

https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31167.json

https://jira.xwiki.org/browse/XWIKI-18983

https://jira.xwiki.org/browse/XWIKI-14075

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gg53-wf5x-r3r6

https://github.com/xwiki/xwiki-platform

https://nvd.nist.gov/vuln/detail/CVE-2022-31167

Do you need more information?

CVSS v4

Base Score:

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Missing Authorization

CWE-862

Improper Authorization

CWE-285

EPSS

Base Score:

0.49

Products

Solutions

Resources

Company

Compare

Developer Tools