CVE-2021-32732 - Vulnerability Details

Vendors	Products
Xwiki	Xwiki

Link	Providers
https://github.com/xwiki/xwiki-platform/commit/69548c0320cbd772540cf4668743e69f879812cf
https://github.com/xwiki/xwiki-platform/commit/f0440dfcbba705e03f7565cd88893dde57ca3fa8
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh
https://jira.xwiki.org/browse/XWIKI-18384
https://jira.xwiki.org/browse/XWIKI-18408

{"containers": {"cna": {"affected": [{"product": "xwiki-platform", "vendor": "xwiki", "versions": [{"status": "affected", "version": "< 12.10.5 "}, {"status": "affected", "version": ">= 13.0, < 13.2RC1"}]}], "descriptions": [{"lang": "en", "value": "### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those requests. ### Patches This issue has been patched in XWiki 12.10.5 and 13.2RC1. Two different patches are provided: - a first one to fix the CSRF problem - a more complex one that now relies on sending an email for the Forgot username process. ### Workarounds It's possible to fix the problem without uprading by editing the ForgotUsername page in version below 13.x, to use the following code: https://github.com/xwiki/xwiki-platform/blob/69548c0320cbd772540cf4668743e69f879812cf/xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ForgotUsername.xml#L39-L123 In version after 13.x it's also possible to edit manually the forgotusername.vm file, but it's really encouraged to upgrade the version here. ### References * https://jira.xwiki.org/browse/XWIKI-18384 * https://jira.xwiki.org/browse/XWIKI-18408 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org)"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-04T22:15:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/69548c0320cbd772540cf4668743e69f879812cf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/f0440dfcbba705e03f7565cd88893dde57ca3fa8"}, {"tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-18384"}, {"tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-18408"}], "source": {"advisory": "GHSA-vh5c-jqfg-mhrh", "discovery": "UNKNOWN"}, "title": "Cross-Site Request Forgery in xwiki-platform", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32732", "STATE": "PUBLIC", "TITLE": "Cross-Site Request Forgery in xwiki-platform"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "xwiki-platform", "version": {"version_data": [{"version_value": "< 12.10.5 "}, {"version_value": ">= 13.0, < 13.2RC1"}]}}]}, "vendor_name": "xwiki"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those requests. ### Patches This issue has been patched in XWiki 12.10.5 and 13.2RC1. Two different patches are provided: - a first one to fix the CSRF problem - a more complex one that now relies on sending an email for the Forgot username process. ### Workarounds It's possible to fix the problem without uprading by editing the ForgotUsername page in version below 13.x, to use the following code: https://github.com/xwiki/xwiki-platform/blob/69548c0320cbd772540cf4668743e69f879812cf/xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ForgotUsername.xml#L39-L123 In version after 13.x it's also possible to edit manually the forgotusername.vm file, but it's really encouraged to upgrade the version here. ### References * https://jira.xwiki.org/browse/XWIKI-18384 * https://jira.xwiki.org/browse/XWIKI-18408 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org)"}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh", "refsource": "CONFIRM", "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/69548c0320cbd772540cf4668743e69f879812cf", "refsource": "MISC", "url": "https://github.com/xwiki/xwiki-platform/commit/69548c0320cbd772540cf4668743e69f879812cf"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/f0440dfcbba705e03f7565cd88893dde57ca3fa8", "refsource": "MISC", "url": "https://github.com/xwiki/xwiki-platform/commit/f0440dfcbba705e03f7565cd88893dde57ca3fa8"}, {"name": "https://jira.xwiki.org/browse/XWIKI-18384", "refsource": "MISC", "url": "https://jira.xwiki.org/browse/XWIKI-18384"}, {"name": "https://jira.xwiki.org/browse/XWIKI-18408", "refsource": "MISC", "url": "https://jira.xwiki.org/browse/XWIKI-18408"}]}, "source": {"advisory": "GHSA-vh5c-jqfg-mhrh", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:54.749Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/xwiki/xwiki-platform/commit/69548c0320cbd772540cf4668743e69f879812cf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/xwiki/xwiki-platform/commit/f0440dfcbba705e03f7565cd88893dde57ca3fa8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.xwiki.org/browse/XWIKI-18384"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.xwiki.org/browse/XWIKI-18408"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32732", "datePublished": "2022-02-04T22:15:13", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:54.749Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D3FA811-A9C4-45F7-A876-BB5D69DA7BCE", "versionEndExcluding": "12.10.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "E8ED2C6F-77E6-4B53-A52D-0CD7FA08AFD1", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:13.1:-:*:*:*:*:*:*", "matchCriteriaId": "333C6A66-CDCD-46DC-A095-74D35B076A78", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those requests. ### Patches This issue has been patched in XWiki 12.10.5 and 13.2RC1. Two different patches are provided: - a first one to fix the CSRF problem - a more complex one that now relies on sending an email for the Forgot username process. ### Workarounds It's possible to fix the problem without uprading by editing the ForgotUsername page in version below 13.x, to use the following code: https://github.com/xwiki/xwiki-platform/blob/69548c0320cbd772540cf4668743e69f879812cf/xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ForgotUsername.xml#L39-L123 In version after 13.x it's also possible to edit manually the forgotusername.vm file, but it's really encouraged to upgrade the version here. ### References * https://jira.xwiki.org/browse/XWIKI-18384 * https://jira.xwiki.org/browse/XWIKI-18408 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org)"}, {"lang": "es", "value": "### Impacto Es posible saber si un usuario presenta o no una cuenta en un wiki relacionada con una direcci\u00f3n de correo electr\u00f3nico, y qu\u00e9 nombre(s) de usuario est\u00e1(n) realmente vinculado(s) a ese correo electr\u00f3nico al falsificar una petici\u00f3n a la p\u00e1gina de Nombre de usuario olvidado. Ten en cuenta que como esta p\u00e1gina no presenta una comprobaci\u00f3n de tipo CSRF es bastante f\u00e1cil llevar a cabo muchas de esas peticiones. ### Parches Este problema ha sido parcheado en XWiki versiones 12.10.5 y 13.2RC1. Se proporcionan dos parches diferentes: - uno para corregir el problema de CSRF - otro m\u00e1s complejo que ahora es basado en el env\u00edo de un correo electr\u00f3nico para el proceso Forgot username. ### Mitigaciones Es posible arreglar el problema sin actualizar al editar la p\u00e1gina de ForgotUsername en versiones anteriores a 13.x, para usar el siguiente c\u00f3digo: https://github.com/xwiki/xwiki-platform/blob/69548c0320cbd772540cf4668743e69f879812cf/xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ForgotUsername.xml#L39-L123 En la versi\u00f3n posterior a 13.x tambi\u00e9n es posible editar manualmente el archivo forgotusername.vm, pero es recomendado actualizar la versi\u00f3n aqu\u00ed. References * https://jira.xwiki.org/browse/XWIKI-18384 * https://jira.xwiki.org/browse/XWIKI-18408 ###. Para m\u00e1s informaci\u00f3n Si presenta alguna pregunta o comentario sobre este aviso: * Abra una incidencia en [Jira XWiki](https://jira.xwiki.org) * Env\u00edenos un correo electr\u00f3nico a [security ML](mailto:security@xwiki.org)"}], "id": "CVE-2021-32732", "lastModified": "2024-11-21T06:07:37.293", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-04T23:15:11.547", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/xwiki/xwiki-platform/commit/69548c0320cbd772540cf4668743e69f879812cf"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/xwiki/xwiki-platform/commit/f0440dfcbba705e03f7565cd88893dde57ca3fa8"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XWIKI-18384"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XWIKI-18408"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/xwiki/xwiki-platform/commit/69548c0320cbd772540cf4668743e69f879812cf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/xwiki/xwiki-platform/commit/f0440dfcbba705e03f7565cd88893dde57ca3fa8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XWIKI-18384"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XWIKI-18408"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object