CVE-2022-39387
XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider
Description
### Impact Even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider by providing its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the oidc.endpoint.* request parameters (or by using an XWiki-based OpenID provider with oidc.xwikiprovider. With the same approach, one could also provide a specific group mapping through oidc.groups.mapping that would make his user automatically part of the XWikiAdminGroup ### Patches Patched in version 1.29.1. ### Workarounds There is no workaround, an upgrade of the authenticator is required. ### References https://jira.xwiki.org/browse/OIDC-118 ### For more information If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at our security mailing list
How to fix CVE-2022-39387
To remediate CVE-2022-39387, upgrade the affected package to a fixed version below.
- —upgrade to 1.29.1 or later
Is CVE-2022-39387 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.29.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |