CVE-2022-31166
published 2022-09-07CVE-2022-31166: XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to…
PriorityP347high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.11%
61.9th percentile
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page then transforms it to a group, any user put in that group would then obtain the privileges related to the edited right. Note that this security issue is normally mitigated by the fact that XWiki.WebHome (and XWiki space in general) should be protected by default for edit rights. The problem has been patched in XWiki 13.10.4 and 14.2RC1 to not consider anymore empty values in XWikiRights. It's possible to work around the problem by setting appropriate rights on XWiki.WebHome page to prevent users to edit it.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 11.3.7 < 13.10.4 | 13.10.4 |
| xwiki | xwiki | >= 14.0 < 14.2 | 14.2 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cisa9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups
osv·2022-09-20
CVE-2022-31166 [HIGH] XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups
XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups
### Impact
It's possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation.
More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page then transforms it to a group, any user put in that group would then obtain the privileges related to the edited right.
Note that this security issue is normally mitigated by the fact that XWiki.WebHome (and XWiki space in general) should be protected by default for edit rights.
### Patches
The problem has been patched in XWiki 13.10.4 and 14.2RC1 to not consider anymore empty value
GHSA
XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups
ghsa·2022-09-20
CVE-2022-31166 [HIGH] CWE-269 XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups
XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups
### Impact
It's possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation.
More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page then transforms it to a group, any user put in that group would then obtain the privileges related to the edited right.
Note that this security issue is normally mitigated by the fact that XWiki.WebHome (and XWiki space in general) should be protected by default for edit rights.
### Patches
The problem has been patched in XWiki 13.10.4 and 14.2RC1 to not consider anymore empty value
CISA
Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability
cisa·2022-04-06·CVSS 9.8
CVE-2021-31166 [CRITICAL] CWE-416 Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability
Vulnerability: Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability
Affected: Microsoft HTTP Protocol Stack
Microsoft HTTP Protocol Stack contains a vulnerability in http.sys that allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-31166
Remediation Due Date: 2022-04-27
Suricata
ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE (CVE-2021-31166), http.sys DOS (CVE-2022-21907) Inbound
suricata·2021-05-17·CVSS 9.8
CVE-2021-31166 [CRITICAL] ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE (CVE-2021-31166), http.sys DOS (CVE-2022-21907) Inbound
ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE (CVE-2021-31166), http.sys DOS (CVE-2022-21907) Inbound
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE (CVE-2021-31166), http.sys DOS (CVE-2022-21907) Inbound"; flow:established,to_server; http.accept_enc; content:",|20|,"; fast_pattern; reference:url,github.com/0vercl0k/CVE-2021-31166; reference:cve,2021-31166; classtype:attempted-admin; sid:2032962; rev:1; metadata:attack_target Server, created_at 2021_05_17, cve CVE_2021_31166, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_05_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Publ
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/pull/1800https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g4h6-qp44-wqvxhttps://jira.xwiki.org/browse/XWIKI-15776https://jira.xwiki.org/browse/XWIKI-18386https://github.com/xwiki/xwiki-platform/pull/1800https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g4h6-qp44-wqvxhttps://jira.xwiki.org/browse/XWIKI-15776https://jira.xwiki.org/browse/XWIKI-18386
2022-09-07
Published