Improper Authorization in XWiki platform - CVE-2022-31167

 

Improper Authorization in XWiki platform - CVE-2022-31167

Published: September 7, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU130020
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-31167
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify authorization rules.

The vulnerability exists due to improper authorization in the security cache when checking rights for a page and a space that share the same reference. A remote user can create a page with the same name as a space and check its rights first to disclose sensitive information and modify authorization rules.

The issue is caused by rules for document Page1.Page2 and space Page1.Page2 being stored in the same cache entry.


How to mitigate CVE-2022-31167

Install security update from vendor's website.

Sources