CVE-2022-41936 - OpenCVE

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (comments and page names etc). Users should upgrade to XWiki 14.6+, 14.4.3+, or 13.10.8+. Older versions have not been patched. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Xwiki	Xwiki

Configuration 1 [-]

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::

No data.

References

Link	Providers
https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p88w-fhxw-xvcc
https://jira.xwiki.org/browse/XWIKI-19997

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-11-22T00:00:00

Updated: 2024-08-03T12:56:38.536Z

Reserved: 2022-09-30T00:00:00

Link: CVE-2022-41936

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-11-22T01:15:34.130

Modified: 2022-11-28T14:37:41.577

Link: CVE-2022-41936

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-41936", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:56:38.536Z", "dateReserved": "2022-09-30T00:00:00", "datePublished": "2022-11-22T00:00:00"}, "containers": {"cna": {"title": "Exposure of Private Personal Information to an Unauthorized Actor in xwiki-platform-rest-server", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-22T00:00:00"}, "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (comments and page names etc). Users should upgrade to XWiki 14.6+, 14.4.3+, or 13.10.8+. Older versions have not been patched. There are no known workarounds."}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 8.1, < 13.10.8", "status": "affected"}, {"version": ">= 14.0.0, < 14.4.3", "status": "affected"}, {"version": ">= 14.5.0, < 14.6", "status": "affected"}]}], "references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p88w-fhxw-xvcc"}, {"url": "https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff"}, {"url": "https://jira.xwiki.org/browse/XWIKI-19997"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor", "cweId": "CWE-359"}]}], "source": {"advisory": "GHSA-p88w-fhxw-xvcc", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:38.536Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p88w-fhxw-xvcc", "tags": ["x_transferred"]}, {"url": "https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff", "tags": ["x_transferred"]}, {"url": "https://jira.xwiki.org/browse/XWIKI-19997", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "13D7D1AE-FCCF-4D05-9C80-933CE292C9EA", "versionEndExcluding": "13.10.8", "versionStartIncluding": "8.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "DCDE8612-07AB-4ED8-A457-E6D2FBD3C543", "versionEndExcluding": "14.4.3", "versionStartIncluding": "14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "234CF6C3-DFC7-4B38-A7A5-433D730A50EA", "versionEndExcluding": "14.6", "versionStartIncluding": "14.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (comments and page names etc). Users should upgrade to XWiki 14.6+, 14.4.3+, or 13.10.8+. Older versions have not been patched. There are no known workarounds."}, {"lang": "es", "value": "XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones creadas sobre ella. El resto de `modifications` endpoint no filtra las entradas seg\u00fan los derechos del usuario. Por lo tanto, la informaci\u00f3n oculta a usuarios no autorizados queda expuesta a trav\u00e9s del resto de \"modifications\" endpoint (comentarios y nombres de p\u00e1ginas, etc.). Los usuarios deben actualizar a XWiki 14.6+, 14.4.3+ o 13.10.8+. Las versiones anteriores no han sido parcheadas. No se conocen workarounds alternativos."}], "id": "CVE-2022-41936", "lastModified": "2022-11-28T14:37:41.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-11-22T01:15:34.130", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p88w-fhxw-xvcc"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XWIKI-19997"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-359"}], "source": "security-advisories@github.com", "type": "Primary"}]}