CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23647 – PKCE downgrade attack in Authentik
https://notcve.org/view.php?id=CVE-2024-23647
30 Jan 2024 — Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker... • https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a • CWE-287: Improper Authentication •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21637 – XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode
https://notcve.org/view.php?id=CVE-2024-21637
11 Jan 2024 — Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6. Authentik es un proveedor de identidades de código abierto. • https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-48228 – OAuth2: PKCE can be fully circumvented
https://notcve.org/view.php?id=CVE-2023-48228
21 Nov 2023 — authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow wa... • https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46249 – authentik potential installation takeover when default admin user is deleted
https://notcve.org/view.php?id=CVE-2023-46249
31 Oct 2023 — authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installati... • https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •