CVE-2022-39387: 
Java vulnerability analysis and mitigation

XWiki OIDC (OpenID Connect) authentication module contained a critical authentication bypass vulnerability (CVE-2022-39387) discovered in January 2022. The vulnerability affected versions prior to 1.29.1 of the org.xwiki.contrib.oidc:oidc-authenticator Maven package. This security flaw allowed attackers to bypass the configured OpenID provider authentication mechanism by manipulating request parameters (GitHub Advisory).

The vulnerability has a CVSS v3.1 score of 9.1 (Critical) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. The flaw is classified as CWE-287 (Improper Authentication). The vulnerability allowed attackers to specify their own provider through oidc.endpoint.* request parameters or by using an XWiki-based OpenID provider with oidc.xwikiprovider, effectively bypassing the authentication configured in xwiki.properties (GitHub Advisory).

The vulnerability could allow attackers to bypass XWiki authentication completely. Additionally, attackers could exploit the flaw to provide specific group mappings through oidc.groups.mapping, potentially gaining administrative access by making their user automatically part of the XWikiAdminGroup (GitHub Advisory, Jira Issue).

The vulnerability was patched in version 1.29.1 of the authenticator. There are no workarounds available, and an upgrade to the patched version is required to address the security issue (GitHub Advisory).