CVE-2022-41929

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-41929

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41929.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-41929

Aliases

GHSA-2gj2-vj98-j2qq

Published

2022-11-23T00:00:00Z

Modified

2025-10-22T18:36:06.247663Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore

Details

org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.

Database specific

{
    "cwe_ids": [
        "CWE-862"
    ]
}

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ea813db28a986642d4862cef18015f0e7e8b7e29

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd

Affected versions

xwiki-application-calendar-1.*

xwiki-application-calendar-1.0

xwiki-platform-7.*

xwiki-platform-7.3-milestone-2

xwiki-platform-7.4-milestone-1

xwiki-platform-7.4-milestone-2

xwiki-platform-8.*

xwiki-platform-8.0-milestone-1

xwiki-platform-8.0-milestone-2

xwiki-platform-8.1-milestone-1

xwiki-platform-8.1-milestone-2

xwiki-platform-8.2-milestone-1

xwiki-platform-8.2-milestone-2

xwiki-platform-8.3-milestone-1

xwiki-platform-9.*

xwiki-platform-9.9-rc-2

xwiki-plugin-tag-1.*

xwiki-plugin-tag-1.1

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd",
        "target": {
            "function": "setDisabledStatus",
            "file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/User.java"
        },
        "digest": {
            "function_hash": "176382147332873468828462861729421347080",
            "length": 84.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-41929-0bc35a79"
    },
    {
        "source": "https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd",
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/User.java"
        },
        "digest": {
            "line_hashes": [
                "269895999152795930690457794911533646744",
                "243334174950697818734997287878692459311",
                "104995347061490540001305252560970709191",
                "172723925155131148434449371913095405073"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-41929-73463481"
    }
]