Home > Vulnerability Database > CVE-2022-39387

Mend.io Vulnerability Database

CVE-2022-39387

Good to know:

Date: November 4, 2022

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the oidc.endpoint.* request parameters (or by using an XWiki-based OpenID provider with oidc.xwikiprovider. With the same approach, one could also provide a specific group mapping through oidc.groups.mapping that would make his user automatically part of the XWikiAdminGroup. This issue has been patched, please upgrade to 1.29.1. There is no workaround, an upgrade of the authenticator is required.

Language: Java

Severity Score

7.5

Related Resources (5)

Url: https://jira.xwiki.org/browse/OIDC-118

Url: https://github.com/xwiki-contrib/oidc/commit/0247af1417925b9734ab106ad7cd934ee870ac89

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39387

Url: https://github.com/xwiki-contrib/oidc/security/advisories/GHSA-m7gv-v8xx-v47w

Url: https://www.mend.io/vulnerability-database/CVE-2022-39387

Severity Score

7.5

Weakness Type (CWE)

Authentication Issues

CWE-287

Top Fix

Upgrade Version

Upgrade to version org.xwiki.contrib.oidc:oidc-authenticator:1.29.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39387

Good to know:

Date: November 4, 2022

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?