CVE-2022-29161 : XWiki Platform is a generic wiki platform offering runtime services for applicat

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the risk of collisions with SHA1. The problem has been patched in XWiki version 13.10.6, 14.3.1 and 14.4-rc-1. Since then, the Crypto API will generate X509 certificates signed by default using SHA256 with RSA. Administrators are advised to upgrade their XWiki installation to one of the patched versions. If the upgrade is not possible, it is possible to patch the module xwiki-platform-crypto in a local installation by applying the change exposed in 26728f3 and re-compiling the module.

Published 2022-05-06 00:15:08

Updated 2023-07-21 16:42:47

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-29161

Xwiki » Xwiki
Versions before (<) 13.10.6
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Matching versions
Xwiki » Xwiki
Versions from including (>=) 14.0 and before (<) 14.3.1
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-29161

EPSS FAQ

0.30%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 53 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-29161

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
5.4	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N	2.2	2.7	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2022-29161

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Assigned by: nvd@nist.gov (Primary)
CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2022-29161

https://jira.xwiki.org/browse/XWIKI-19676

[XWIKI-19676] Update the RSA Crypto script service to use SHA256 instead of SHA1 for certificate signature - XWiki.org JIRA
Vendor Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h8v5-p258-pqf4

Crypto script service uses hashing algorithm SHA1 with RSA for certificate signature · Advisory · xwiki/xwiki-platform · GitHub
Third Party Advisory
https://github.com/xwiki/xwiki-platform/commit/26728f3f23658288683667a5182a916c7ecefc52

XWIKI-19676: Update the RSA Crypto script service to use SHA256 inste… · xwiki/xwiki-platform@26728f3 · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-29161

Products affected by CVE-2022-29161

Exploit prediction scoring system (EPSS) score for CVE-2022-29161

CVSS scores for CVE-2022-29161

CWE ids for CVE-2022-29161

References for CVE-2022-29161