9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-39387

GHSA ID

GHSA-m7gv-v8xx-v47w

EPSS Score

0.32267%

CWE

CWE-287

Published

11/4/2022

Updated

1/29/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39387

CVE-2022-39387: XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider

Impact

Even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider by providing its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the oidc.endpoint.* request parameters (or by using an XWiki-based OpenID provider with oidc.xwikiprovider.

With the same approach, one could also provide a specific group mapping through oidc.groups.mapping that would make his user automatically part of the XWikiAdminGroup

Patches

Patched in version 1.29.1.

Workarounds

There is no workaround, an upgrade of the authenticator is required.

References

https://jira.xwiki.org/browse/OIDC-118

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki
Email us at our security mailing list

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-39387

GHSA ID

GHSA-m7gv-v8xx-v47w

EPSS Score

0.32267%

CWE

CWE-287

Published

11/4/2022

Updated

1/29/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.contrib.oidc:oidc-authenticator	maven	< 1.29.1	1.29.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of request parameters in configuration loading. The key evidence comes from the patch which:

Introduces a SAFE_PROPERTIES whitelist (only allowing 'skipped')
Restricts getProperty() methods to only process request parameters for whitelisted properties
Modifies endpoint resolution to prevent direct parameter injection

The original vulnerable functions lacked these safeguards, allowing attackers to override OIDC endpoints, group mappings, and provider configurations through unvalidated request parameters. This directly enabled authentication bypass and privilege escalation as described in CVE-2022-39387.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *v*n i* * wiki **s *n Op*nI* provi**r *on*i*ur** t*rou** its xwiki.prop*rti*s, it is possi*l* to provi** * t*ir* p*rty provi**r *y provi*in* its **t*ils t*rou** r*qu*st p*r*m*t*rs. On* **n t**n *yp*ss t** XWiki *ut**nti**tion *lto**t**r *

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* r*qu*st p*r*m*t*rs in *on*i*ur*tion lo**in*. T** k*y *vi**n** *om*s *rom t** p*t** w*i**: *. Intro*u**s * S***_PROP*RTI*S w*it*list (only *llowin* 'skipp**') *. R*stri*ts **tProp*rty() m*t*o*s to only

9.1

Basic Information

Concerned about an active attack path?

CVE-2022-39387: XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider

Impact

Patches

Workarounds

References

For more information

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI