SCA: security update for org.xwiki.platform:xwiki-platform-crypto (GHSA-h8v5-p258-pqf4)

critical Tenable Cloud Security Plugin ID 415602

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.
The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not
considered safe anymore for use in certificate signatures, due to the risk of collisions with SHA1. The
problem has been patched in XWiki version 13.10.6, 14.3.1 and 14.4-rc-1. Since then, the Crypto API will
generate X509 certificates signed by default using SHA256 with RSA. Administrators are advised to upgrade
their XWiki installation to one of the patched versions. If the upgrade is not possible, it is possible to
patch the module xwiki-platform-crypto in a local installation by applying the change exposed in 26728f3
and re-compiling the module. (CVE-2022-29161)

See Also

https://github.com/advisories/GHSA-h8v5-p258-pqf4

Plugin Details

Severity: Critical

ID: 415602

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-29161

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/24/2022

Vulnerability Publication Date: 5/5/2022

Reference Information

CVE: CVE-2022-29161