cnvd - cnvd-2022-13405

cnvd-2022-13405

Vulnerability from cnvd

Title: Xwiki Platform授权问题漏洞（CNVD-2022-13405）

Description:

Xwiki Platform是法国Xwiki公司的一套用于创建Web协作应用程序的Wiki平台。

XWiki Platform存在授权问题漏洞，该漏洞源于即使wiki对访客关闭也可通过使用忘记密码表单来猜测用户是否在wiki上有账户，攻击者可利用该漏洞猜解存在的用户。

Severity: 中

Patch Name: Xwiki Platform授权问题漏洞（CNVD-2022-13405）的补丁

Patch Description:

Xwiki Platform是法国Xwiki公司的一套用于创建Web协作应用程序的Wiki平台。

XWiki Platform存在授权问题漏洞，该漏洞源于即使wiki对访客关闭也可通过使用忘记密码表单来猜测用户是否在wiki上有账户，攻击者可利用该漏洞猜解存在的用户。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f

Reference: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f

Impacted products

Name
['XWiki XWiki Platform <12.10.9', 'XWiki XWiki Platform <13.4.1', 'XWiki XWiki Platform <13.6RC1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-23619",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-23619"
    }
  },
  "description": "Xwiki Platform\u662f\u6cd5\u56fdXwiki\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u521b\u5efaWeb\u534f\u4f5c\u5e94\u7528\u7a0b\u5e8f\u7684Wiki\u5e73\u53f0\u3002\n\nXWiki Platform\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5373\u4f7fwiki\u5bf9\u8bbf\u5ba2\u5173\u95ed\u4e5f\u53ef\u901a\u8fc7\u4f7f\u7528\u5fd8\u8bb0\u5bc6\u7801\u8868\u5355\u6765\u731c\u6d4b\u7528\u6237\u662f\u5426\u5728wiki\u4e0a\u6709\u8d26\u6237\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u731c\u89e3\u5b58\u5728\u7684\u7528\u6237\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-13405",
  "openTime": "2022-02-23",
  "patchDescription": "Xwiki Platform\u662f\u6cd5\u56fdXwiki\u516c\u53f8\u7684\u4e00\u5957\u7528\u4e8e\u521b\u5efaWeb\u534f\u4f5c\u5e94\u7528\u7a0b\u5e8f\u7684Wiki\u5e73\u53f0\u3002\r\n\r\nXWiki Platform\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5373\u4f7fwiki\u5bf9\u8bbf\u5ba2\u5173\u95ed\u4e5f\u53ef\u901a\u8fc7\u4f7f\u7528\u5fd8\u8bb0\u5bc6\u7801\u8868\u5355\u6765\u731c\u6d4b\u7528\u6237\u662f\u5426\u5728wiki\u4e0a\u6709\u8d26\u6237\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u731c\u89e3\u5b58\u5728\u7684\u7528\u6237\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Xwiki Platform\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-13405\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "XWiki XWiki Platform \u003c12.10.9",
      "XWiki XWiki Platform \u003c13.4.1",
      "XWiki XWiki Platform \u003c13.6RC1"
    ]
  },
  "referenceLink": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f",
  "serverity": "\u4e2d",
  "submitTime": "2022-02-13",
  "title": "Xwiki Platform\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-13405\uff09"
}

CVE-2022-23619 (GCVE-0-2022-23619)

Vulnerability from cvelistv5

Published

2022-02-09 21:10

Modified

2025-04-23 19:06

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Summary

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advised yo update. There are no known workarounds for this issue.

References

▼	URL	Tags
	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-18787	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: >= 13.6.0, < 13.6RC1 Version: >= 13.0.0, < 13.4.1 Version: < 12.10.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:51:45.542Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jira.xwiki.org/browse/XWIKI-18787"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23619",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:57:37.274388Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:06:04.533Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 13.6.0, \u003c 13.6RC1"
            },
            {
              "status": "affected",
              "version": "\u003e= 13.0.0, \u003c 13.4.1"
            },
            {
              "status": "affected",
              "version": "\u003c 12.10.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it\u0027s possible to guess if a user has an account on the wiki by using the \"Forgot your password\" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advised yo update. There are no known workarounds for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-09T21:10:10.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-18787"
        }
      ],
      "source": {
        "advisory": "GHSA-35fg-hjcr-j65f",
        "discovery": "UNKNOWN"
      },
      "title": "Information exposure in xwiki-platform",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-23619",
          "STATE": "PUBLIC",
          "TITLE": "Information exposure in xwiki-platform"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "xwiki-platform",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 13.6.0, \u003c 13.6RC1"
                          },
                          {
                            "version_value": "\u003e= 13.0.0, \u003c 13.4.1"
                          },
                          {
                            "version_value": "\u003c 12.10.9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "xwiki"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it\u0027s possible to guess if a user has an account on the wiki by using the \"Forgot your password\" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advised yo update. There are no known workarounds for this issue."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f",
              "refsource": "CONFIRM",
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494",
              "refsource": "MISC",
              "url": "https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-18787",
              "refsource": "MISC",
              "url": "https://jira.xwiki.org/browse/XWIKI-18787"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-35fg-hjcr-j65f",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23619",
    "datePublished": "2022-02-09T21:10:11.000Z",
    "dateReserved": "2022-01-19T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:06:04.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted