Use of a broken or risky cryptographic algorithm in XWiki platform - CVE-2022-29161
Published: May 5, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130044
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-29161
CWE-ID: CWE-327
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to compromise certificate trust by exploiting weak certificate signatures.
The vulnerability exists due to use of a broken or risky cryptographic algorithm in the XWiki Crypto API certificate generation functionality when generating X509 certificates signed by default with SHA1 with RSA. A remote attacker can leverage SHA1 collision weaknesses to compromise certificate trust by exploiting weak certificate signatures.
This API is not used in XWiki Standard by default but might be used by some XWiki extensions.
Remediation
Install security update from vendor's website.