Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 14.6-rc-1, 13.10.8, 14.4.3
Affects Version/s: 13.1-rc-1
Component/s: Authentication
Labels:

Development Priority:
High
Difficulty:
Easy
Documentation:
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q2hm-2h45-v5g3
Documentation in Release Notes:
https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/14.6RC1/#HMigrationsendingemails
Similar issues:

Description

Tested on 14.4.1 but according to github the current state is still affected.

When the the reset password form is used the new password is stored in plaintext.

xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authentication/xwiki-platform-security-authentication-default/src/main/java/org/xwiki/security/authentication/internal/DefaultResetPasswordManager.java - Line 317:

userXObject.setStringValue("password", newPassword);

After fixing this a migration will be needed to convert passwords that are currently stored in plaintext into hashes.

Furthermore, this indicates that the authentication check works against a stored plaintext password. This should not be possible.

Attachments

Issue Links

causes

XWIKI-20067 Misleading logs suggesting that the security mails about clear passwords were not sent

Closed

is related to

XWIKI-19945 Reset password and forgot username features are not working for subwiki users

Closed

XWIKI-11205 If view rights are not allowed for guest users then ResetPassword doesn't work

Closed

Activity

People

Assignee:: Simon Urli

Reporter:: Yana Oksner

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 23/Jun/22 13:37

Updated:: 21/Nov/22 10:31

Resolved:: 08/Jul/22 14:03

Date of First Response:: 24/Jun/22 9:00 AM