1 results (0.009 seconds)
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-45042 – Ory Kratos's `highest_available` setting does not properly respect code + mfa credentials
https://notcve.org/view.php?id=CVE-2024-45042
26 Sep 2024 — Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the `highest_available` setting will incorrectly assume that the identity’s highest available AAL is `aal1` even though it really is `aal2`. This means that the `highest_available` configuration will act as if the user has only one factor set up, for that particular user. This means that they can call the settings and whoami endpoint without a `aal2` session, even... • https://github.com/ory/kratos/security/advisories/GHSA-wc43-73w7-x2f5 • CWE-287: Improper Authentication •