security: fix CVE-2024-47077 (#11535) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>
This commit is contained in:
gcp-cherry-pick-bot[bot]
committed by
GitHub
GitHub
parent
09125b6236
commit
57a31b5dd1
25
website/docs/security/CVE-2024-47077.md
Normal file
25
website/docs/security/CVE-2024-47077.md
Normal file
@ -0,0 +1,25 @@
|
||||
# CVE-2024-47077
|
||||
|
||||
_Reported by [@quentinmit](https://github.com/quentinmit)_
|
||||
|
||||
## Insufficient cross-provider token validation during introspection
|
||||
|
||||
### Summary
|
||||
|
||||
Access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access.
|
||||
|
||||
### Details
|
||||
|
||||
The proxy provider uses `/application/o/introspect/` to validate bearer tokens provided in the `Authorization` header:
|
||||
|
||||
The implementation of this endpoint separately validates the `client_id` and `client_secret` (which are that of the proxy provider) and the `token` without validating that they correspond to the same provider.
|
||||
|
||||
### Patches
|
||||
|
||||
authentik 2024.6.5 and 2024.8.3 fix this issue.
|
||||
|
||||
### For more information
|
||||
|
||||
If you have any questions or comments about this advisory:
|
||||
|
||||
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
|
||||
Reference in New Issue
Block a user