CVE-2022-23619: Information exposure in xwiki-platform
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.2172%
CWE
Published
2/9/2022
Updated
2/3/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.xwiki.platform:xwiki-platform-web | maven | >= 13.5RC1, <= 13.5 | 13.6RC1 |
org.xwiki.platform:xwiki-platform-web | maven | >= 13.0.0, < 13.4.1 | 13.4.1 |
org.xwiki.platform:xwiki-platform-web | maven | < 12.10.9 | 12.10.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from three key issues: 1) Explicit error messages revealing user existence (CWE-200) in password reset flow, 2) Exposure of email addresses in API responses, and 3) Observable differences between existing/non-existing user responses. The commit diff shows critical changes in user existence checking logic (removed exceptions for non-existent users), removal of email return values in authentication APIs, and test case modifications to prevent user enumeration through response validation. The vulnerable functions directly handled these information disclosure paths by providing distinct error states that attackers could observe.