XWiki OIDC Token Creation Vulnerability for Users with VIEW Access

A vulnerability in XWiki's OpenID Connect (OIDC) component allows users with VIEW access to a profile to create authentication tokens for those users. This issue affects XWiki OIDC versions 2.17.1 prior to 2.18.2. If an instance is set up to permit token authentication, this vulnerability could be exploited to impersonate any user, as user profiles are typically accessible to other registered users. The vulnerability arises from insufficient access controls in the token management process.

Impact

Exploitation of this vulnerability allows for unauthorized token creation, enabling users to authenticate as other individuals on the XWiki platform.

Reproduction

To reproduce this vulnerability, a user must have VIEW access to a target user's profile. Once this access is confirmed, the user can navigate to the token management section for that profile and create a token, which can then be used for authentication. This process can be automated with a test included in the XWiki OIDC repository.

Remediation

Users can upgrade to XWiki OIDC version 2.18.2, which addresses this vulnerability. Instructions for updating can be found in the XWiki OIDC repository.