Advisories for Maven/Org.xwiki.contrib.oidc/Oidc-Authenticator package

2022

XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the oidc.endpoint.* request parameters (or by using an XWiki-based OpenID provider with oidc.xwikiprovider. With …