Co-authored-by: Jens L <jens@goauthentik.io> fix CVE-2024-38371 (#10229)
This commit is contained in:
gcp-cherry-pick-bot[bot]
committed by
GitHub
GitHub
parent
f1d173f94e
commit
49fe670932
23
website/docs/security/CVE-2024-38371.md
Normal file
23
website/docs/security/CVE-2024-38371.md
Normal file
@ -0,0 +1,23 @@
|
||||
# CVE-2024-38371
|
||||
|
||||
_Reported by Stefan Zwanenburg_
|
||||
|
||||
## Insufficient access control for OAuth2 Device Code flow
|
||||
|
||||
### Impact
|
||||
|
||||
Due to a bug, access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application, and access the application.
|
||||
|
||||
### Patches
|
||||
|
||||
authentik 2024.6.0, 2024.4.3 and 2024.2.4 fix this issue, for other versions the workaround can be used.
|
||||
|
||||
### Workarounds
|
||||
|
||||
As authentik flows are still used as part of the OAuth2 Device code flow, it is possible to add access control to the configured flows.
|
||||
|
||||
### For more information
|
||||
|
||||
If you have any questions or comments about this advisory:
|
||||
|
||||
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
|
||||
Reference in New Issue
Block a user