CVE-2022-41929

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-41929
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41929.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-41929
Aliases
Published
2022-11-23T00:00:00Z
Modified
2026-03-14T11:57:10.964462Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
Details

org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.

Database specific 
{
    "cwe_ids": [
        "CWE-862"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41929.json"
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
950f435a66fb9fe437d27df8a6aaf20e01322e1f
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
cc3304eb18e40b836f37b9ee12ffa15c9f99285a
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
f458acea03f9931f318892b20f4be69f2b743431
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
daf5e736b51daba27b5ddff3bd363dd33bd3cf35
Fixed
0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "13.10.7"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "14.4.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.4.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.4.4"
        }
    ]
}

Database specific

vanir_signatures 
[
    {
        "digest": {
            "length": 84.0,
            "function_hash": "176382147332873468828462861729421347080"
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2022-41929-0bc35a79",
        "target": {
            "function": "setDisabledStatus",
            "file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/User.java"
        },
        "source": "https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "269895999152795930690457794911533646744",
                "243334174950697818734997287878692459311",
                "104995347061490540001305252560970709191",
                "172723925155131148434449371913095405073"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2022-41929-73463481",
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/User.java"
        },
        "source": "https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd"
    }
]
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.7-rc1"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41929.json"