Improper Authorization in XWiki platform - CVE-2022-31167
Published: September 7, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130020
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-31167
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to disclose sensitive information and modify authorization rules.
The vulnerability exists due to improper authorization in the security cache when checking rights for a page and a space that share the same reference. A remote user can create a page with the same name as a space and check its rights first to disclose sensitive information and modify authorization rules.
The issue is caused by rules for document Page1.Page2 and space Page1.Page2 being stored in the same cache entry.
Remediation
Install security update from vendor's website.