diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py index d90ee68fb4..b2f69de3aa 100644 --- a/authentik/core/api/users.py +++ b/authentik/core/api/users.py @@ -1,13 +1,14 @@ """User API Views""" from datetime import timedelta +from importlib import import_module from json import loads from typing import Any +from django.conf import settings from django.contrib.auth import update_session_auth_hash from django.contrib.auth.models import Permission -from django.contrib.sessions.backends.cache import KEY_PREFIX -from django.core.cache import cache +from django.contrib.sessions.backends.base import SessionBase from django.db.models.functions import ExtractHour from django.db.transaction import atomic from django.db.utils import IntegrityError @@ -91,6 +92,7 @@ from authentik.stages.email.tasks import send_mails from authentik.stages.email.utils import TemplateEmailMessage LOGGER = get_logger() +SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore class UserGroupSerializer(ModelSerializer): @@ -774,7 +776,8 @@ class UserViewSet(UsedByMixin, ModelViewSet): if not instance.is_active: sessions = AuthenticatedSession.objects.filter(user=instance) session_ids = sessions.values_list("session_key", flat=True) - cache.delete_many(f"{KEY_PREFIX}{session}" for session in session_ids) + for session in session_ids: + SessionStore(session).delete() sessions.delete() LOGGER.debug("Deleted user's sessions", user=instance.username) return response diff --git a/authentik/core/signals.py b/authentik/core/signals.py index 3c103b169f..8632376ed9 100644 --- a/authentik/core/signals.py +++ b/authentik/core/signals.py @@ -1,7 +1,10 @@ """authentik core signals""" +from importlib import import_module + +from django.conf import settings from django.contrib.auth.signals import user_logged_in, user_logged_out -from django.contrib.sessions.backends.cache import KEY_PREFIX +from django.contrib.sessions.backends.base import SessionBase from django.core.cache import cache from django.core.signals import Signal from django.db.models import Model @@ -25,6 +28,7 @@ password_changed = Signal() login_failed = Signal() LOGGER = get_logger() +SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore @receiver(post_save, sender=Application) @@ -60,8 +64,7 @@ def user_logged_out_session(sender, request: HttpRequest, user: User, **_): @receiver(pre_delete, sender=AuthenticatedSession) def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_): """Delete session when authenticated session is deleted""" - cache_key = f"{KEY_PREFIX}{instance.session_key}" - cache.delete(cache_key) + SessionStore(instance.session_key).delete() @receiver(pre_save) diff --git a/website/docs/security/cves/CVE-2025-29928.md b/website/docs/security/cves/CVE-2025-29928.md new file mode 100644 index 0000000000..74b7b89a54 --- /dev/null +++ b/website/docs/security/cves/CVE-2025-29928.md @@ -0,0 +1,23 @@ +# CVE-2025-29928 + +## Deletion of sessions did not revoke sessions when using database session storage + +### Summary + +When authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. + +This also affects automatic session deletion when a user is set to inactive or a user is deleted. + +### Patches + +authentik 2025.2.3 and 2024.12.4 fix this issue. + +### Workarounds + +Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. + +### For more information + +If you have any questions or comments about this advisory: + +- Email us at [security@goauthentik.io](mailto:security@goauthentik.io). diff --git a/website/sidebars.js b/website/sidebars.js index 965162f7b9..7fcedd56fa 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -704,6 +704,11 @@ export default { type: "category", label: "CVEs", items: [ + { + type: "category", + label: "2024", + items: ["security/cves/CVE-2025-29928"], + }, { type: "category", label: "2024",