CVE-2022-41933 in XWiki Platform
Summary
by MITRE • 11/24/2022
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When the `reset a forgotten password` feature of XWiki was used, the password was then stored in plain text in database. This only concerns XWiki 13.1RC1 and newer versions. Note that it only concerns the reset password feature available from the "Forgot your password" link in the login view: the features allowing a user to change their password, or for an admin to change a user password are not impacted. This vulnerability is particularly dangerous in combination with other vulnerabilities allowing to perform data leak of personal data from users, such as GHSA-599v-w48h-rjrm. Note that this vulnerability only concerns the users of the main wiki: in case of farms, the users registered on subwiki are not impacted thanks to a bug we discovered when investigating this. The problem has been patched in version 14.6RC1, 14.4.3 and 13.10.8. The patch involves a migration of the impacted users as well as the history of the page, to ensure no password remains in plain text in the database. This migration also involves to inform the users about the possible disclosure of their passwords: by default, two emails are automatically sent to the impacted users. A first email to inform about the possibility that their password have been leaked, and a second email using the reset password feature to ask them to set a new password. It's also possible for administrators to set some properties for the migration: it's possible to decide if the user password should be reset (default) or if the passwords should be kept but only hashed. Note that in the first option, the users won't be able to login anymore until they set a new password if they were impacted. Note that in both options, mails will be sent to users to inform them and encourage them to change their passwords.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/21/2022
The vulnerability CVE-2022-41933 represents a critical security flaw in the XWiki Platform that directly impacts user authentication security through improper password storage practices. This vulnerability specifically affects the password reset functionality available through the "Forgot your password" link in the login interface, where passwords were being stored in plain text within the database rather than being properly hashed or encrypted. The issue manifests in XWiki versions 13.1RC1 and newer, making it a regression that emerged in the platform's authentication handling mechanisms. According to CWE-312, this constitutes a weakness where sensitive data is stored without adequate protection, creating a significant risk for user account compromise.
The operational impact of this vulnerability extends beyond simple data exposure, as it creates a dangerous scenario when combined with other exploitation vectors that enable data leakage from user accounts. The vulnerability's scope is limited to the main wiki instance, as subwiki users within farm configurations are protected by a separate bug discovered during investigation, which effectively isolates them from this particular flaw. This segmentation demonstrates the platform's complex architecture and how different components may be affected differently by security issues. The vulnerability has been addressed through patches released in versions 14.6RC1, 14.4.3, and 13.10.8, which include comprehensive database migration procedures.
The remediation strategy implemented by XWiki developers involves a multi-layered approach that addresses both immediate security concerns and user communication requirements. The patch includes automatic database migration that removes plain text passwords from the system while maintaining historical page records, ensuring no trace of sensitive information remains accessible in plaintext. This migration process is particularly sophisticated as it incorporates user notification mechanisms, automatically sending two emails to affected users - one informing them of potential password exposure and another prompting them to reset their passwords through the standard reset process. The solution also provides administrators with configuration options that allow them to choose between resetting passwords entirely or maintaining existing passwords while applying proper hashing, though both approaches require user intervention and notification.
From an ATT&CK perspective, this vulnerability maps to T1531 (Account Access Removal) and T1566 (Phishing) as it creates opportunities for attackers to exploit exposed credentials and potentially gain unauthorized access to user accounts. The vulnerability's impact aligns with the platform's authentication and access control mechanisms, where the improper storage of credentials creates a persistent risk for credential compromise. The security implications extend to compliance requirements for data protection, as storing passwords in plain text violates fundamental security principles and could result in regulatory violations under data protection frameworks. The patch implementation demonstrates a responsible disclosure approach that acknowledges the potential for user account compromise while providing clear mitigation steps and communication protocols to affected users.