CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-36456 – Authentik lacks Proxy IP headers validation
https://notcve.org/view.php?id=CVE-2023-36456
authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy are susceptible to this. Possible spoofing of IP addresses in logs, downstream applications proxied by (built in) outpost, IP bypassing in custom flows if used. This poses a possible security risk when someone has flows or policies that check the user's IP address, e.g. when they want to ignore the user's 2 factor authentication when the user is connected to the company network. A second security risk is that the IP addresses in the logfiles and user sessions are not reliable anymore. • https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff https://github.com/goauthentik/authentik/commit/c07a48a3eccbd7b23026f72136d3392bbc6f795a https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv https://goauthentik.io/docs/releases/2023.4#fixed-in-202343 https://goauthentik.io/docs/releases/2023.5#fixed-in-202355 • CWE-436: Interpretation Conflict •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-26481 – Insufficient user check in FlowTokens by Email stage
https://notcve.org/view.php?id=CVE-2023-26481
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking `request.context['is_restored']`), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. • https://github.com/goauthentik/authentik/security/advisories/GHSA-3xf5-pqvf-rqq3 https://goauthentik.io/docs/releases/2023.2#fixed-in-202323 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 1CVE-2022-46172 – authentik allows existing authenticated users to create arbitrary accounts
https://notcve.org/view.php?id=CVE-2022-46172
authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also affect other applications as these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. • https://github.com/goauthentik/authentik/security/advisories/GHSA-hv8r-6w7p-mpc5 • CWE-269: Improper Privilege Management CWE-287: Improper Authentication •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 1CVE-2022-23555 – authentik vulnerable to Improper Authentication via invitation URL token reuse
https://notcve.org/view.php?id=CVE-2022-23555
authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. • https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-46145 – authentik vulnerable to unauthorized user creation and potential account takeover
https://notcve.org/view.php?id=CVE-2022-46145
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`. authentik es un proveedor de identidad de código abierto. • https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102 https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •