CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23647 – PKCE downgrade attack in Authentik
https://notcve.org/view.php?id=CVE-2024-23647
Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. • https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj • CWE-287: Improper Authentication •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21637 – XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode
https://notcve.org/view.php?id=CVE-2024-21637
Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6. Authentik es un proveedor de identidades de código abierto. • https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.6 https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.6 https://github.com/goauthentik/authentik/security/advisories/GHSA-rjpr-7w8c-gv3j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-48228 – OAuth2: PKCE can be fully circumvented
https://notcve.org/view.php?id=CVE-2023-48228
authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a `code_challenge`. authentik 2023.8.5 and 2023.10.4 fix this issue. authentik es un proveedor de identidad de código abierto. Al inicializar un flujo oauth2 con un `code_challenge` y un `code_method` (solicitando así PKCE), el proveedor de inicio de sesión único (authentik) debe verificar si hay un `code_verifier` coincidente y existente durante el paso del token. • https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225 https://github.com/goauthentik/authentik/commit/3af77ab3821fe9c7df8055ba5eade3d1ecea03a6 https://github.com/goauthentik/authentik/commit/6b9afed21f7c39f171a4a445654cfe415bba37d5 https://github.com/goauthentik/authentik/commit/b88e39411c12e3f9e04125a7887f12354f760a14 https://github.com/goauthentik/authentik/pull/7666 https://github.com/goauthentik/authentik/pull/7668 https://github.com/goauthentik/authentik/pull/7669 https:/&#x • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46249 – authentik potential installation takeover when default admin user is deleted
https://notcve.org/view.php?id=CVE-2023-46249
authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. authentik 2023.8.4 and 2023.10.2 fix this issue. As a workaround, ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. • https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0 https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2 https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4 https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-39522 – Username enumeration attack in goauthentik
https://notcve.org/view.php?id=CVE-2023-39522
goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recovery flow described above is susceptible to having their username/email revealed as existing. An attacker can easily enumerate and check users' existence using the recovery flow, as a clear message is shown when a user doesn't exist. • https://github.com/goauthentik/authentik/commit/aa874dd92a770d5f8cd8f265b7cdd31cd73a4599 https://github.com/goauthentik/authentik/security/advisories/GHSA-vmf9-6pcv-xr87 • CWE-203: Observable Discrepancy •