XWiki Platform 13.1/14.3rc: Inactiveuser REST selfactivation
CVE-2022-36090 Published on September 8, 2022
org.xwiki.platform:xwiki-platform-oldcore Improper Authorization check for inactive users
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki.
Vulnerability Analysis
CVE-2022-36090 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-36090. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2022-36090 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2022-36090
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 1.1, < 13.10.5 is affected.
- Version >= 14.0, < 14.3-RC-1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2022-36090
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.xwiki.platform:xwiki-platform-oldcore | >= 1.1, < 13.10.5 | 13.10.5 |
| maven | org.xwiki.platform:xwiki-platform-oldcore | >= 14.0, < 14.3-rc-1 | 14.3-rc-1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.