cnvd - cnvd-2022-13403

cnvd-2022-13403

Vulnerability from cnvd

Title: XWiki Platform访问控制错误漏洞

Description:

Xwiki Platform是法国Xwiki公司的一套用于创建Web协作应用程序的Wiki平台。

XWiki Platform存在访问控制错误漏洞，该漏洞源于应用未正确限制来自未授权角色的资源访问，攻击者可利用该漏洞保存具有当前用户权限的文档。

Severity: 中

Patch Name: XWiki Platform访问控制错误漏洞的补丁

Patch Description:

Xwiki Platform是法国Xwiki公司的一套用于创建Web协作应用程序的Wiki平台。

XWiki Platform存在访问控制错误漏洞，该漏洞源于应用未正确限制来自未授权角色的资源访问，攻击者可利用该漏洞保存具有当前用户权限的文档。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r

Reference: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r

Impacted products

Name
XWiki XWiki Platform <13.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-23615",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-23615"
    }
  },
  "description": "Xwiki Platform\u662f\u6cd5\u56fdXwiki\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u521b\u5efaWeb\u534f\u4f5c\u5e94\u7528\u7a0b\u5e8f\u7684Wiki\u5e73\u53f0\u3002\n\nXWiki Platform\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u672a\u6b63\u786e\u9650\u5236\u6765\u81ea\u672a\u6388\u6743\u89d2\u8272\u7684\u8d44\u6e90\u8bbf\u95ee\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4fdd\u5b58\u5177\u6709\u5f53\u524d\u7528\u6237\u6743\u9650\u7684\u6587\u6863\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-13403",
  "openTime": "2022-02-23",
  "patchDescription": "Xwiki Platform\u662f\u6cd5\u56fdXwiki\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u521b\u5efaWeb\u534f\u4f5c\u5e94\u7528\u7a0b\u5e8f\u7684Wiki\u5e73\u53f0\u3002\r\n\r\nXWiki Platform\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u672a\u6b63\u786e\u9650\u5236\u6765\u81ea\u672a\u6388\u6743\u89d2\u8272\u7684\u8d44\u6e90\u8bbf\u95ee\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4fdd\u5b58\u5177\u6709\u5f53\u524d\u7528\u6237\u6743\u9650\u7684\u6587\u6863\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "XWiki Platform\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "XWiki XWiki Platform \u003c13.0"
  },
  "referenceLink": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r",
  "serverity": "\u4e2d",
  "submitTime": "2022-02-13",
  "title": "XWiki Platform\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2022-23615 (GCVE-0-2022-23615)

Vulnerability from cvelistv5

Published

2022-02-09 20:35

Modified

2025-04-23 19:06

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-863 - Incorrect Authorization

Summary

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. This has been patched in XWiki 13.0. Users are advised to update to resolve this issue. The only known workaround is to limit SCRIPT access.

References

▼	URL	Tags
	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/7ab0fe7b96809c7a3881454147598d46a1c9bbbe	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-5024	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: >= 1.0, < 13.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:43:46.758Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/xwiki/xwiki-platform/commit/7ab0fe7b96809c7a3881454147598d46a1c9bbbe"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jira.xwiki.org/browse/XWIKI-5024"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23615",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T14:10:53.325065Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:06:26.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0, \u003c 13.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. This has been patched in XWiki 13.0. Users are advised to update to resolve this issue. The only known workaround is to limit SCRIPT access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-09T20:35:11.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/7ab0fe7b96809c7a3881454147598d46a1c9bbbe"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-5024"
        }
      ],
      "source": {
        "advisory": "GHSA-f4cj-3q3h-884r",
        "discovery": "UNKNOWN"
      },
      "title": "Partial authorization bypass on document save in xwiki-platform",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-23615",
          "STATE": "PUBLIC",
          "TITLE": "Partial authorization bypass on document save in xwiki-platform"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "xwiki-platform",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 1.0, \u003c 13.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "xwiki"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. This has been patched in XWiki 13.0. Users are advised to update to resolve this issue. The only known workaround is to limit SCRIPT access."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-863: Incorrect Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r",
              "refsource": "CONFIRM",
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/7ab0fe7b96809c7a3881454147598d46a1c9bbbe",
              "refsource": "MISC",
              "url": "https://github.com/xwiki/xwiki-platform/commit/7ab0fe7b96809c7a3881454147598d46a1c9bbbe"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-5024",
              "refsource": "MISC",
              "url": "https://jira.xwiki.org/browse/XWIKI-5024"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-f4cj-3q3h-884r",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23615",
    "datePublished": "2022-02-09T20:35:11.000Z",
    "dateReserved": "2022-01-19T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:06:26.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted