CVE-2022-23654 - OpenCVE

Wiki.js is a wiki app built on Node.js. In affected versions an authenticated user with write access on a restricted set of paths can update a page outside the allowed paths by specifying a different target page ID while keeping the path intact. The access control incorrectly check the path access against the user-provided values instead of the actual path associated to the page ID. Commit https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b fixes this vulnerability by checking access control on the path associated with the page ID instead of the user-provided value. When the path is different than the current value, a second access control check is then performed on the user-provided path before the move operation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Requarks	Wiki.js

Configuration 1 [-]

cpe:2.3:a:requarks:wiki.js:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b
https://github.com/Requarks/wiki/security/advisories/GHSA-3cv9-795v-6j7j

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-02-22T20:05:11

Updated: 2024-08-03T03:51:44.191Z

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23654

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-22T20:15:07.817

Modified: 2023-07-24T13:50:15.770

Link: CVE-2022-23654

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "wiki", "vendor": "Requarks", "versions": [{"status": "affected", "version": "< 2.5.276"}]}], "descriptions": [{"lang": "en", "value": "Wiki.js is a wiki app built on Node.js. In affected versions an authenticated user with write access on a restricted set of paths can update a page outside the allowed paths by specifying a different target page ID while keeping the path intact. The access control incorrectly check the path access against the user-provided values instead of the actual path associated to the page ID. Commit https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b fixes this vulnerability by checking access control on the path associated with the page ID instead of the user-provided value. When the path is different than the current value, a second access control check is then performed on the user-provided path before the move operation."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-22T20:05:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Requarks/wiki/security/advisories/GHSA-3cv9-795v-6j7j"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b"}], "source": {"advisory": "GHSA-3cv9-795v-6j7j", "discovery": "UNKNOWN"}, "title": "Improper write access check in Requarks/wiki", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-23654", "STATE": "PUBLIC", "TITLE": "Improper write access check in Requarks/wiki"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "wiki", "version": {"version_data": [{"version_value": "< 2.5.276"}]}}]}, "vendor_name": "Requarks"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Wiki.js is a wiki app built on Node.js. In affected versions an authenticated user with write access on a restricted set of paths can update a page outside the allowed paths by specifying a different target page ID while keeping the path intact. The access control incorrectly check the path access against the user-provided values instead of the actual path associated to the page ID. Commit https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b fixes this vulnerability by checking access control on the path associated with the page ID instead of the user-provided value. When the path is different than the current value, a second access control check is then performed on the user-provided path before the move operation."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Requarks/wiki/security/advisories/GHSA-3cv9-795v-6j7j", "refsource": "CONFIRM", "url": "https://github.com/Requarks/wiki/security/advisories/GHSA-3cv9-795v-6j7j"}, {"name": "https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b", "refsource": "MISC", "url": "https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b"}]}, "source": {"advisory": "GHSA-3cv9-795v-6j7j", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:51:44.191Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Requarks/wiki/security/advisories/GHSA-3cv9-795v-6j7j"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-23654", "datePublished": "2022-02-22T20:05:11", "dateReserved": "2022-01-19T00:00:00", "dateUpdated": "2024-08-03T03:51:44.191Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:requarks:wiki.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "16272B7A-8766-4D95-8E5D-3CF9EE37283C", "versionEndExcluding": "2.5.276", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wiki.js is a wiki app built on Node.js. In affected versions an authenticated user with write access on a restricted set of paths can update a page outside the allowed paths by specifying a different target page ID while keeping the path intact. The access control incorrectly check the path access against the user-provided values instead of the actual path associated to the page ID. Commit https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b fixes this vulnerability by checking access control on the path associated with the page ID instead of the user-provided value. When the path is different than the current value, a second access control check is then performed on the user-provided path before the move operation."}, {"lang": "es", "value": "Wiki.js es una aplicaci\u00f3n wiki construida sobre Node.js. En las versiones afectadas, un usuario autenticado con acceso de escritura en un conjunto restringido de rutas puede actualizar una p\u00e1gina fuera de las rutas permitidas especificando un ID de p\u00e1gina de destino diferente mientras mantiene la ruta intacta. El control de acceso comprueba incorrectamente el acceso a la ruta con los valores proporcionados por el usuario en lugar de la ruta real asociada al ID de la p\u00e1gina. El commit https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b corrige esta vulnerabilidad comprobando el control de acceso en la ruta asociada al ID de la p\u00e1gina en lugar del valor proporcionado por el usuario. Cuando la ruta es diferente al valor actual, se realiza una segunda comprobaci\u00f3n de control de acceso en la ruta proporcionada por el usuario antes de la operaci\u00f3n de movimiento"}], "id": "CVE-2022-23654", "lastModified": "2023-07-24T13:50:15.770", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-02-22T20:15:07.817", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Requarks/wiki/security/advisories/GHSA-3cv9-795v-6j7j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Secondary"}]}