CVE-2022-36090: 
Java vulnerability analysis and mitigation

CVE-2022-36090 is a security vulnerability affecting XWiki platform versions prior to 13.10.5 and 14.3RC1. The vulnerability was discovered in September 2022 and relates to improper authorization checks for inactive users. This issue has existed since at least version 1.1 of XWiki for instances configured with email activation required for new users (GHSA Advisory).

The vulnerability stems from missing checks for inactive (not yet activated or disabled) users in certain resources, including the REST service. The issue allows disabled users to perform unauthorized actions, including self-enabling through REST calls. The vulnerability has a CVSS v3.1 base score of 8.1 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The vulnerability is classified as CWE-285 (Improper Authorization) (GHSA Advisory).

The vulnerability allows disabled users to bypass authorization controls and perform unauthorized actions through the REST API and other resource handlers. Most critically, disabled users could potentially enable their own accounts and access resources that should be restricted. This issue became more critical for versions >= 11.3RC1 due to the introduction of user disabling capabilities (GHSA Advisory).

The vulnerability has been patched in XWiki versions 13.10.5 and 14.3RC1. There are no workarounds available other than upgrading to a patched version of XWiki (GHSA Advisory).