PT-2022-26163 · Xwiki · Xwiki Platform
Published
2022-11-21
·
Updated
2023-07-10
·
CVE-2022-41932
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions prior to 13.10.8
XWiki Platform versions prior to 14.4.2
XWiki Platform versions prior to 14.6RC1
Description
The issue allows an attacker to create many new schemas and fill them with tables by using a crafted user identifier in the login form, potentially leading to degraded database performance.
Recommendations
For versions prior to 13.10.8, upgrade to version 13.10.8 or later.
For versions prior to 14.4.2, upgrade to version 14.4.2 or later.
For versions prior to 14.6RC1, upgrade to version 14.6RC1 or later.
As a temporary workaround, consider using an authenticator that interprets the login as a reference to a document.
Alternatively, using a different database than PostgreSQL may mitigate the issue.
Exploit
Fix
DoS
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xwiki Platform