7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-31167

GHSA ID

GHSA-gg53-wf5x-r3r6

EPSS Score

0.51486%

CWE

CWE-285

Published

9/20/2022

Updated

1/29/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31167

CVE-2022-31167: XWiki Platform Security Parent POM vulnerable to overwriting of security rules of a page with a final page having the same reference

Impact

A bug in the security cache is storing rules associated to document Page1.Page2 and space Page1.Page2 in the same cache entry.

That means that it's possible to overwrite the rights of a space or a document by creating the page of the space with the same name and checking the right of the new one first so that they end up in the security cache and are used for the other too.

Patches

The problem has been patched in XWiki 12.10.11, 13.10.1, 13.4.6.

Workarounds

No workaround other than patching.

References

https://jira.xwiki.org/browse/XWIKI-14075 https://jira.xwiki.org/browse/XWIKI-18983

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-31167

CVE-2022-31167:

7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-31167

GHSA ID

GHSA-gg53-wf5x-r3r6

EPSS Score

0.51486%

CWE

CWE-285

Published

9/20/2022

Updated

1/29/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-security	maven	>= 5.0, < 12.10.11	12.10.11
org.xwiki.platform:xwiki-platform-security	maven	>= 13.0, < 13.4.6	13.4.6
org.xwiki.platform:xwiki-platform-security	maven	>= 13.10, < 13.10.1	13.10.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper cache key generation in the security component, where document and space references with identical names shared the same cache entry. The SecurityCache.getKey function is the most logical candidate for this flaw, as it would be responsible for generating unique identifiers for cached security rules. The description explicitly mentions the cache storage collision between document and space rules, which aligns with a missing entity-type distinction in cache key generation. While exact code references are unavailable, the security cache component and key generation logic are central to the described vulnerability mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-31167: XWiki Platform Security Parent POM vulnerable to overwriting of security rules of a page with a final page having the same reference

Impact

Patches

Workarounds

References

For more information

CVE-2022-31167:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.1

7.1

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2022-31167: XWiki Platform Security Parent POM vulnerable to overwriting of security rules of a page with a final page having the same reference

Impact

Patches

Workarounds

References

For more information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI