CVE-2022-39387 – XWiki OIDC Authenticator vulnerable to OpenID login bypass due to improper authentication

https://notcve.org/view.php?id=CVE-2022-39387

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the oidc.endpoint.* request parameters (or by using an XWiki-based OpenID provider with oidc.xwikiprovider. With the same approach, one could also provide a specific group mapping through oidc.groups.mapping that would make his user automatically part of the XWikiAdminGroup. This issue has been patched, please upgrade to 1.29.1. • https://github.com/xwiki-contrib/oidc/commit/0247af1417925b9734ab106ad7cd934ee870ac89 https://github.com/xwiki-contrib/oidc/security/advisories/GHSA-m7gv-v8xx-v47w https://jira.xwiki.org/browse/OIDC-118 • CWE-287: Improper Authentication •