Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yZ2oyLXZqOTgtajJxcc4AAv_P
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
Impact
It's possible for a user with only Script rights to enable or disable a user: this operation should be only doable for users with admin rights.
Patches
This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
Workarounds
There is no workaround other than upgrading the wiki, but note that this only impacts users with Script rights: administrator should take care which users have such right.
References
- https://jira.xwiki.org/browse/XWIKI-19804
- https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd
For more information
If you have any questions or comments about this advisory:
- Open an issue in JIRA
- Email us at security ML
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yZ2oyLXZqOTgtajJxcc4AAv_P
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 4.9
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-2gj2-vj98-j2qq, CVE-2022-41929
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2gj2-vj98-j2qq
- https://nvd.nist.gov/vuln/detail/CVE-2022-41929
- https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd
- https://jira.xwiki.org/browse/XWIKI-19804
- https://github.com/advisories/GHSA-2gj2-vj98-j2qq
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-oldcore
Affected Version Ranges: >= 14.0.0, < 14.4.2, >= 11.7RC1, < 13.10.7Fixed in: 14.4.2, 13.10.7