XWiki, Authentication Bypass, CVE-2024-XXXX (Medium)

How the CVE Works:

The vulnerability exists in XWiki’s authentication management, where unauthorized users can access `XWiki.Authentication.Administration` page due to improper access controls. By default, any authenticated user (even with minimal privileges) can modify the active authenticator if `xwiki.cfg` lacks explicit configuration. Attackers could switch to a weaker authenticator (e.g., Standard XWiki Authenticator), potentially disrupting SSO integrations like OIDC/LDAP. Default installations are less impacted as only one authenticator exists, but misconfigured or extended deployments risk authentication bypass or service disruption.

DailyCVE Form:

Platform: XWiki
Version: <15.10.9, <16.3.0RC1
Vulnerability: Authentication Bypass
Severity: Medium
Date: 2024-XX-XX

What Undercode Say:

Exploitation:

1. Attacker accesses `XWiki.Authentication.Administration` via:

curl -X GET "http://<xwiki-host>/xwiki/bin/view/XWiki/Authentication/Administration"

2. Switch authenticator (if multiple exist) by submitting a crafted request:

POST /xwiki/bin/save/XWiki/Authentication/Administration HTTP/1.1
Host: <xwiki-host>
Content-Type: application/x-www-form-urlencoded
...
authenticator=malicious_authenticator

Mitigation:

1. Patch immediately or restrict view rights:

UPDATE xwikirendering SET rights = 'view,admin' WHERE page = 'XWiki.Authentication';

2. Manual workaround via GUI:

• Navigate to `Space Admin > Page Rights` for XWiki.Authentication.
• Revoke `VIEW` for non-admins.

Detection:

Check logs for unauthorized access:

grep -E "GET /xwiki/bin/view/XWiki/Authentication" /var/log/xwiki/application.log

Configuration Hardening:

Add to `xwiki.cfg`:

security.authenticator=com.xwiki.auth.TrustedAuthenticator

References:

• Patch commit: xwiki/xwiki-platform@5efc31c
• JIRA: XWIKI-22604

Impact Analysis:

• SSO disruption (HIGH if OIDC/LDAP).
• Low risk if only default authenticator exists.

Note: Audit installed authenticators via:

ls -l /path/to/xwiki/webapps/xwiki/WEB-INF/lib/authenticator.jar

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram