CVE-2023-45144
📋 TL;DR
This vulnerability in XWiki's Identity OAuth UI component allows attackers to inject malicious scripts and XWiki syntax via OAuth login parameters. Successful exploitation enables remote code execution through Groovy macros, compromising the entire XWiki installation. All XWiki instances using vulnerable versions of the identity-oauth-ui package are affected.
💻 Affected Systems
- XWiki with Identity OAuth UI component
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of XWiki installation with administrative access, data theft, system takeover, and potential lateral movement to connected systems.
Likely Case
Unauthenticated remote code execution leading to data exfiltration, privilege escalation, and installation of backdoors or malware.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though risk remains due to the nature of the vulnerability.
🎯 Exploit Status
The vulnerability is in the login flow and requires no authentication. Exploitation involves crafting malicious OAuth parameters with XSS and Groovy macro injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6
Vendor Advisory: https://github.com/xwikisas/identity-oauth/security/advisories/GHSA-h2rm-29ch-wfmh
Restart Required: Yes
Instructions:
1. Identify XWiki installation version and identity-oauth-ui package version. 2. Update identity-oauth-ui to version 1.6 or later via XWiki Extension Manager or manual installation. 3. Restart XWiki application server. 4. Verify the fix by checking the package version.
🔧 Temporary Workarounds
No known workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Disable OAuth authentication method entirely if not required
- Implement strict network access controls to limit exposure to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check the identity-oauth-ui package version in XWiki Administration > Extensions. If version is below 1.6, the system is vulnerable.Check Version:
Check XWiki Administration panel or examine WEB-INF/lib/identity-oauth-ui-*.jar file versionVerify Fix Applied:
Verify identity-oauth-ui package version is 1.6 or higher in XWiki Administration > Extensions.📡 Detection & Monitoring
Log Indicators:
- Unusual OAuth login attempts with long or encoded parameters
- Groovy macro execution from unexpected sources
- Error logs containing script injection attempts
Network Indicators:
- HTTP GET requests to OAuth endpoints with suspicious parameter values
- Requests containing script tags or Groovy macro syntax
SIEM Query:
web_access_logs WHERE (url_path CONTAINS '/oauth/' OR url_path CONTAINS '/login/') AND (query_string CONTAINS '<script' OR query_string CONTAINS '{{groovy' OR query_string CONTAINS '%3Cscript')🔗 References
- https://github.com/xwikisas/identity-oauth/blob/master/ui/src/main/resources/IdentityOAuth/LoginUIExtension.vm#L58
- https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6
- https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6#diff-2ab2e0716443d790d7d798320e4a45151661f4eca5440331f4a227b29c87c188
- https://github.com/xwikisas/identity-oauth/security/advisories/GHSA-h2rm-29ch-wfmh
- https://jira.xwiki.org/browse/XWIKI-20719
- https://github.com/xwikisas/identity-oauth/blob/master/ui/src/main/resources/IdentityOAuth/LoginUIExtension.vm#L58
- https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6
- https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6#diff-2ab2e0716443d790d7d798320e4a45151661f4eca5440331f4a227b29c87c188
- https://github.com/xwikisas/identity-oauth/security/advisories/GHSA-h2rm-29ch-wfmh
- https://jira.xwiki.org/browse/XWIKI-20719
