CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23647 – PKCE downgrade attack in Authentik
https://notcve.org/view.php?id=CVE-2024-23647
30 Jan 2024 — Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker... • https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-48228 – OAuth2: PKCE can be fully circumvented
https://notcve.org/view.php?id=CVE-2023-48228
21 Nov 2023 — authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow wa... • https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46249 – authentik potential installation takeover when default admin user is deleted
https://notcve.org/view.php?id=CVE-2023-46249
31 Oct 2023 — authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installati... • https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-39522 – Username enumeration attack in goauthentik
https://notcve.org/view.php?id=CVE-2023-39522
29 Aug 2023 — goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recovery flow described above is susceptible to having their username/email revealed as existing. An attacker can easily enumerate and check users' existence using the recovery flow, as a clear message is shown when a user... • https://github.com/goauthentik/authentik/commit/aa874dd92a770d5f8cd8f265b7cdd31cd73a4599 • CWE-203: Observable Discrepancy •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-36456 – Authentik lacks Proxy IP headers validation
https://notcve.org/view.php?id=CVE-2023-36456
06 Jul 2023 — authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy are susceptible to this. Possible spoofing of IP addresses in logs, downstream applications proxied by (built in) outpost, IP bypassing in custom flows if used. This poses a possible security risk when someone has fl... • https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff • CWE-436: Interpretation Conflict •