CVE-2024-45042 – Ory Kratos's `highest_available` setting does not properly respect code + mfa credentials

https://notcve.org/view.php?id=CVE-2024-45042

Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the `highest_available` setting will incorrectly assume that the identity’s highest available AAL is `aal1` even though it really is `aal2`. This means that the `highest_available` configuration will act as if the user has only one factor set up, for that particular user. This means that they can call the settings and whoami endpoint without a `aal2` session, even though that should be disallowed. An attacker would need to steal or guess a valid login OTP of a user who has only OTP for login enabled and who has an incorrect `available_aal` value stored, to exploit this vulnerability. • https://github.com/ory/kratos/security/advisories/GHSA-wc43-73w7-x2f5 • CWE-287: Improper Authentication •