// For flags

CVE-2022-39387

XWiki OIDC Authenticator vulnerable to OpenID login bypass due to improper authentication

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the oidc.endpoint.* request parameters (or by using an XWiki-based OpenID provider with oidc.xwikiprovider. With the same approach, one could also provide a specific group mapping through oidc.groups.mapping that would make his user automatically part of the XWikiAdminGroup. This issue has been patched, please upgrade to 1.29.1. There is no workaround, an upgrade of the authenticator is required.

XWiki OIDC tiene varias herramientas para manipular el protocolo OpenID Connect en XWiki. Antes de la versión 1.29.1, incluso si un wiki tiene un proveedor OpenID configurado a través de xwiki.properties, era posible proporcionar sus detalles a un proveedor externo a través de parámetros de solicitud. Luego, se puede omitir por completo la autenticación de XWiki especificando su propio proveedor a través de los parámetros de solicitud oidc.endpoint.* (o usando un proveedor OpenID basado en XWiki con oidc.xwikiprovider. Con el mismo enfoque, también se podría proporcionar un mapeo de grupo específico a través de oidc.groups.mapping que haría que su usuario forme parte automáticamente de XWikiAdminGroup. Este problema ha sido solucionado, actualice a 1.29.1. No hay workaround, se requiere una actualización del autenticador.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-09-02 CVE Reserved
  • 2022-11-04 CVE Published
  • 2024-05-27 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-287: Improper Authentication
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Xwiki
Search vendor "Xwiki"
 Openid Connect
Search vendor "Xwiki" for product "Openid Connect"
 < 1.29.1
Search vendor "Xwiki" for product "Openid Connect" and version " < 1.29.1"
-
Affected