Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-32729

Good to know:

icon

Date: July 1, 2021

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A vulnerability exists in versions prior to 12.6.88, 12.10.4, and 13.0. The script service method used to reset the authentication failures record can be executed by any user with Script rights and does not require Programming rights. An attacher with script rights who is able to reset the authentication failure record might perform a brute force attack, since they would be able to virtually deactivate the mechanism introduced to mitigate those attacks. The problem has been patched in version 12.6.8, 12.10.4 and 13.0. There are no workarounds aside from upgrading.

Language: Java

Severity Score

Related Resources (4)

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m738-3rc4-5xv3
https://nvd.nist.gov/vuln/detail/CVE-2021-32729
https://jira.xwiki.org/browse/XWIKI-18276
https://www.mend.io/vulnerability-database/CVE-2021-32729

Severity Score

Weakness Type (CWE)

Authentication Issues

CWE-287

Incorrect Permission Assignment for Critical Resource

CWE-732

Top Fix

icon

Upgrade Version

Upgrade to version xwiki-platform-12.6.8,xwiki-platform-12.10.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): SINGLE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us