Privilege Escalation via XWikiRights in XWiki Platform before 13.10.4
CVE-2022-31166 Published on September 7, 2022
XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page then transforms it to a group, any user put in that group would then obtain the privileges related to the edited right. Note that this security issue is normally mitigated by the fact that XWiki.WebHome (and XWiki space in general) should be protected by default for edit rights. The problem has been patched in XWiki 13.10.4 and 14.2RC1 to not consider anymore empty values in XWikiRights. It's possible to work around the problem by setting appropriate rights on XWiki.WebHome page to prevent users to edit it.
Vulnerability Analysis
CVE-2022-31166 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-31166. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Products Associated with CVE-2022-31166
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 11.3.7, < 13.10.4 is affected.
- Version >= 14.0-rc-1, < 14.2-rc-1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2022-31166
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.xwiki.platform:xwiki-platform-oldcore | >= 11.3.7, < 13.10.4 | 13.10.4 |
| maven | org.xwiki.platform:xwiki-platform-oldcore | >= 14.0-rc-1, < 14.2-rc-1 | 14.2-rc-1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.