ghsa-2gj2-vj98-j2qq
Vulnerability from github
Published
2022-11-21 22:35
Modified
2022-11-21 22:35
Severity ?
Summary
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
Details
Impact
It's possible for a user with only Script rights to enable or disable a user: this operation should be only doable for users with admin rights.
Patches
This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
Workarounds
There is no workaround other than upgrading the wiki, but note that this only impacts users with Script rights: administrator should take care which users have such right.
References
- https://jira.xwiki.org/browse/XWIKI-19804
- https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd
For more information
If you have any questions or comments about this advisory: * Open an issue in JIRA * Email us at security ML
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "11.7RC1"
},
{
"fixed": "13.10.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "14.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41929"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-21T22:35:22Z",
"nvd_published_at": "2022-11-23T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nIt\u0027s possible for a user with only Script rights to enable or disable a user: this operation should be only doable for users with admin rights. \n\n### Patches\n\nThis problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.\n\n### Workarounds\n\nThere is no workaround other than upgrading the wiki, but note that this only impacts users with Script rights: administrator should take care which users have such right. \n\n### References\n\n * https://jira.xwiki.org/browse/XWIKI-19804\n * https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [JIRA](https://jira.xwiki.org)\n* Email us at [security ML](mailto:security@xwiki.org)\n",
"id": "GHSA-2gj2-vj98-j2qq",
"modified": "2022-11-21T22:35:22Z",
"published": "2022-11-21T22:35:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2gj2-vj98-j2qq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41929"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-19804"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.