CVE-2022-36090
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-36090
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36090.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-36090
- Aliases
- Published
- 2022-09-08T14:45:13Z
- Modified
- 2025-12-08T19:08:33.025751Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- org.xwiki.platform:xwiki-platform-oldcore Improper Authorization check for inactive users
- Details
-
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36090.json", "cwe_ids": [ "CWE-285" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36090.json
- https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgc8-gvcx-9vfx
- https://jira.xwiki.org/browse/XWIKI-19559
- https://nvd.nist.gov/vuln/detail/CVE-2022-36090
Affected packages
Git / github.com/xwiki/xwiki-commons
Git / github.com/xwiki/xwiki-platform
Affected ranges
- Type
- GIT
- Repo
- https://github.com/xwiki/xwiki-platform
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
xwiki-application-calendar-1.*
xwiki-application-calendar-1.0
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2
xwiki-plugin-tag-1.*
xwiki-plugin-tag-1.1
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"257908714711367016755236252804782708611",
"149886701224057808494458086497374506327",
"240095827261400842801005578641217302429",
"111081484626008364969209744751400838654",
"185708871354188851025735660441463714325",
"329787475554149753260334470227764064080",
"124781329453902936077905354530336277855",
"75171986607066271676685234492478171707",
"85814057365656175014623572892018772471",
"196673505963980381677774847838927220062",
"143232752268117118782679202112102916894",
"169683194663549633489764487131873280698",
"218655778520871095892192887755694285525",
"112072751446907866004645425649367182949",
"259609562801814463932570450232231756977",
"40036931920748626275341811709964225874",
"209558313872891782643261361801646352816",
"146430954691290754632077001437908117561",
"113440953746874428730669584103759139819",
"319721993175662937244517252286986584798",
"227247855036801765049450186322307867204",
"148559642534452674259990454975077849851",
"270568893320602111857674115814944690886",
"331892869606729476846737599386342594557",
"126726971814941014569801128861911878887",
"86002200788912750758635965901879857563",
"313570648336222106322890525507694696065",
"181129229262664073185558624660576076970",
"200069736107786648824749111920181885004",
"328831855932515246992528941162637644752",
"273705160358810255144983789042717498754",
"189650919264870142693334471698780177763",
"320438483162685253034254975503750176140",
"327022083284011070814734829154900887777",
"205521510208801835343992365017838912516",
"184810429439790457630717487057497087774",
"339787456559969915630747640728247183370",
"299718938009721369963249936487403821849",
"101438250763755147395286366954573803618",
"196728639220282212352021426722810409843",
"105681212428085862997019982193994125008",
"322975469373758052261070620334417561902",
"222167894719858284746632147400474189307",
"277039567602753716331644891463121903800",
"182722560769909470495229877677662484096",
"43968232614877061508219706289547750383",
"87742927220733847511114363975241854914",
"181625444597718800725156759740749014151",
"75407180318704451699303769443305508093",
"108587633537507210242609878158511307392",
"19478741279244872460101640644866316951",
"196388849704097562680926501727186780928",
"206940546758078681799959008591021210071",
"293105123317313194505816347180081180986",
"21914336334542394800342338273456193829",
"85775954192522451520422506203967244619",
"133385833784297376782623906363474206851",
"155714964565587438704010266430675614233",
"322174943287994127635152507760492762647",
"191871331035772864092889652358664651524",
"324109435435830837926499573843412359801",
"166742130510135254016246758987089439545"
],
"threshold": 0.9
},
"id": "CVE-2022-36090-298a9314",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/XWiki.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"322776739252316916829046156976852701083",
"46715073007072620242667814725663631428",
"87602249713863932173416340421260251771",
"302454717900726377123643023908938687048"
],
"threshold": 0.9
},
"id": "CVE-2022-36090-3d099928",
"target": {
"file": "xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-bridge/src/main/java/org/xwiki/security/authorization/internal/XWikiCachingRightService.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"72827566320579380708885983900369040135",
"54368668103220078642918021003615502303",
"3801302872160828543784001321530124763",
"23185812299832241422803055678649018000",
"239980757302662077251821096004178254867",
"133312942913791466410734866455868768449",
"161601207322254442033333227670614241859",
"23826221342602061476898702144349511008"
],
"threshold": 0.9
},
"id": "CVE-2022-36090-47ce80f1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/XWiki.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"237128338465909122307249277413568001275",
"302402277244648242673020653383431870260",
"63532999756289606835926873937563354349",
"56404236446269723284715641529111731562",
"16251170017827662002721290837683684408",
"79193617345502535679718816501427343982",
"201463644475868288983173664642719343249"
],
"threshold": 0.9
},
"id": "CVE-2022-36090-4cca84cc",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/user/api/XWikiUser.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 3958.0,
"function_hash": "266764820714452949491668386685145685710"
},
"id": "CVE-2022-36090-6c1be0bc",
"target": {
"function": "prepareDocuments",
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/XWiki.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"102417900724480494051804295428205927454",
"82278014452114739896354276158904756995",
"97061292025246022301540998120119798376"
],
"threshold": 0.9
},
"id": "CVE-2022-36090-716f9dab",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/XWikiContext.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 894.0,
"function_hash": "111919973054590063445673925687929505552"
},
"id": "CVE-2022-36090-741d2c8d",
"target": {
"function": "getNotificationsRSS",
"file": "xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-rest/src/main/java/org/xwiki/notifications/rest/internal/DefaultNotificationsResource.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 99.0,
"function_hash": "97994309014915887871739322870034392153"
},
"id": "CVE-2022-36090-99277a44",
"target": {
"function": "checkAuth",
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/XWiki.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 612.0,
"function_hash": "292035992371836667522014325379576531187"
},
"id": "CVE-2022-36090-9d333f1b",
"target": {
"function": "checkAccess",
"file": "xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-bridge/src/main/java/org/xwiki/security/authorization/internal/XWikiCachingRightService.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 192.0,
"function_hash": "250166627173726354224438725163504288992"
},
"id": "CVE-2022-36090-a45f0259",
"target": {
"function": "checkAuth",
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/XWiki.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 128.0,
"function_hash": "82025841281352258358441902254272128493"
},
"id": "CVE-2022-36090-e575c814",
"target": {
"function": "checkAuth",
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/XWiki.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 984.0,
"function_hash": "310713915497291484598724389852818570833"
},
"id": "CVE-2022-36090-e5d67d6c",
"target": {
"function": "getNotificationsCount",
"file": "xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-rest/src/main/java/org/xwiki/notifications/rest/internal/DefaultNotificationsResource.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"13946751558791221646807318447097267737",
"122048640276596619032110205074027568920",
"108049801351475907788861119972446736830",
"224082117695036986753844404800970862688",
"301311188861644787942539551483339021217",
"249347933100832658893109065845757301217",
"126709273929608427282999253162440907424",
"246535379710884021410620387314316206396"
],
"threshold": 0.9
},
"id": "CVE-2022-36090-e8413a0f",
"target": {
"file": "xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-rest/src/main/java/org/xwiki/notifications/rest/internal/DefaultNotificationsResource.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986"
}
]