You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Juan Pablo Santos Rodríguez <ju...@apache.org> on 2022/08/03 20:46:24 UTC

CVE-2022-34158: Apache JSPWiki: User Group Privilege Escalation

Severity: critical

Description:

A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki, which could allow a group privilege escalation of the attacker's account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page. 

Mitigation:

Apache JSPWiki users should upgrade to 2.11.3 or later. 

Credit:

This issue was discovered by Huiseong Seo (t0rchwo0d), <awdr1624AT gmail DOT com>

References:

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158

Re: CVE-2022-34158: Apache JSPWiki: User Group Privilege Escalation

Posted by Juan Pablo Santos Rodríguez <ju...@apache.org>.

On Wed, Aug 3, 2022 at 10:46 PM Juan Pablo Santos Rodríguez
<ju...@apache.org> wrote:
>
> Severity: critical
>
> Description:
>
> A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki, which could allow a group privilege escalation of the attacker's account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page.
>
> Mitigation:
>
> Apache JSPWiki users should upgrade to 2.11.3 or later.
>
> Credit:
>
> This issue was discovered by Huiseong Seo (t0rchwo0d), <awdr1624AT gmail DOT com>
>
> References:
>
> https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158
>