CVE-2022-29161

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.6 XWiki Platform versions prior to 14.3.1 XWiki Platform versions prior to 14.4-rc-1

Description The XWiki Crypto API generates X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures due to the risk of collisions with SHA1. This issue may allow a remote attacker to execute arbitrary code. The API is never used in XWiki Standard but might be used in some extensions of XWiki.

Recommendations For XWiki Platform versions prior to 13.10.6, upgrade to version 13.10.6 or later. For XWiki Platform versions prior to 14.3.1, upgrade to version 14.3.1 or later. For XWiki Platform versions prior to 14.4-rc-1, upgrade to version 14.4-rc-1 or later. If an upgrade is not possible, patch the module xwiki-platform-crypto in a local installation by applying the change exposed in 26728f3 and re-compiling the module.