Miggo Logo

CVE-2022-23619: Information exposure in xwiki-platform

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.2172%
Published
2/9/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.xwiki.platform:xwiki-platform-webmaven>= 13.5RC1, <= 13.513.6RC1
org.xwiki.platform:xwiki-platform-webmaven>= 13.0.0, < 13.4.113.4.1
org.xwiki.platform:xwiki-platform-webmaven< 12.10.912.10.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from three key issues: 1) Explicit error messages revealing user existence (CWE-200) in password reset flow, 2) Exposure of email addresses in API responses, and 3) Observable differences between existing/non-existing user responses. The commit diff shows critical changes in user existence checking logic (removed exceptions for non-existent users), removal of email return values in authentication APIs, and test case modifications to prevent user enumeration through response validation. The vulnerable functions directly handled these information disclosure paths by providing distinct error states that attackers could observe.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It's possi*l* to *u*ss i* * us*r **s *n ***ount on t** wiki *y usin* t** "*or*ot your p*sswor*" *orm, *v*n i* t** wiki is *los** to *u*st us*rs. ### P*t***s T** pro*l*m **s ***n p*t**** on XWiki **.**.*, **.*.* *n* **.*R**. ### Work*roun

Reasoning

T** vuln*r**ility st*mm** *rom t*r** k*y issu*s: *) *xpli*it *rror m*ss***s r*v**lin* us*r *xist*n** (*W*-***) in p*sswor* r*s*t *low, *) *xposur* o* *m*il ***r*ss*s in *PI r*spons*s, *n* *) O*s*rv**l* *i***r*n**s **tw**n *xistin*/non-*xistin* us*r r