{"containers": {"cna": {"affected": [{"product": "Apache JSPWiki", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "Apache JSPWiki up to 2.11.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This issue was discovered by Huiseong Seo (t0rchwo0d), <awdr1624AT gmail DOT com>"}], "descriptions": [{"lang": "en", "value": "A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker's account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page."}], "metrics": [{"other": {"content": {"other": "critical"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"description": "CSRF group privilege escalation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-04T06:16:11.000Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"}], "source": {"discovery": "UNKNOWN"}, "title": "User Group Privilege Escalation", "workarounds": [{"lang": "en", "value": "Apache JSPWiki users should upgrade to 2.11.3 or later."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-34158", "STATE": "PUBLIC", "TITLE": "User Group Privilege Escalation"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache JSPWiki", "version": {"version_data": [{"version_affected": "<=", "version_value": "Apache JSPWiki up to 2.11.2"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "This issue was discovered by Huiseong Seo (t0rchwo0d), <awdr1624AT gmail DOT com>"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker's account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "critical"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CSRF group privilege escalation"}]}]}, "references": {"reference_data": [{"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158", "refsource": "MISC", "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Apache JSPWiki users should upgrade to 2.11.3 or later."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T08:16:17.225Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-34158", "datePublished": "2022-08-04T06:16:11.000Z", "dateReserved": "2022-06-20T00:00:00.000Z", "dateUpdated": "2024-08-03T08:16:17.225Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "64A3E769-A3E7-4648-8792-5138BD591C1F", "versionEndExcluding": "2.11.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker's account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page."}, {"lang": "es", "value": "Una invocaci\u00f3n cuidadosamente dise\u00f1ada en el plugin Image podr\u00eda desencadenar una vulnerabilidad de tipo CSRF en Apache JSPWiki versiones anteriores a 2.11.3, que podr\u00eda permitir una escalada de privilegios de grupo de la cuenta del atacante. Un examen m\u00e1s detallado de este problema determin\u00f3 que tambi\u00e9n pod\u00eda usarse para modificar el correo electr\u00f3nico asociado a la cuenta atacada, y luego una petici\u00f3n de restablecimiento de contrase\u00f1a desde la p\u00e1gina de inicio de sesi\u00f3n"}], "id": "CVE-2022-34158", "lastModified": "2024-11-21T07:08:58.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-04T07:15:07.650", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}