CVE-2022-39387

Name of the Vulnerable Software and Affected Versions XWiki OIDC versions prior to 1.29.1

Description The issue allows an attacker to bypass XWiki authentication by specifying their own OpenID provider through request parameters, such as oidc.endpoint.*, or by using an XWiki-based OpenID provider with oidc.xwikiprovider. Additionally, an attacker can provide a specific group mapping through oidc.groups.mapping to automatically become part of the XWikiAdminGroup.

Recommendations For versions prior to 1.29.1, upgrade to version 1.29.1 to resolve the issue. There is no workaround, and an upgrade of the authenticator is required.