security: fix CVE 2024 52289 (#12113)

* initial migration Signed-off-by: Jens Langhammer <jens@goauthentik.io> * migrate tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix loading Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start dynamic ui Signed-off-by: Jens Langhammer <jens@goauthentik.io> * initial ui Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add serialize Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add error message handling Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix/add tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * prepare docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * migrate to new input Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-11-21 14:46:43 +01:00
parent 5ea4580884
commit 85bb638243
37 changed files with 687 additions and 198 deletions
--- a/website/docs/security/cves/CVE-2024-52289.md
+++ b/website/docs/security/cves/CVE-2024-52289.md
@ -0,0 +1,30 @@
+# CVE-2024-52289
+
+_Reported by [@PontusHanssen](https://github.com/PontusHanssen)_
+
+## Insecure default configuration for OAuth2 Redirect URIs
+
+### Summary
+
+Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
+When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either.
+
+Given a provider with the Redirect URIs set to `https://foo.example.com`, an attacker can register a domain `fooaexample.com`, and it will correctly pass validation.
+
+### Patches
+
+authentik 2024.8.5 and 2024.10.3 fix this issue.
+
+The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change.
+
+Manual action _is required_ if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.
+
+### Workarounds
+
+When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace `.` with `\.`.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
--- a/website/sidebars.js
+++ b/website/sidebars.js
@ -659,6 +659,7 @@ export default {
                            label: "2024",
                            items: [
                                "security/cves/CVE-2024-52307",
+                                "security/cves/CVE-2024-52289",
                                "security/cves/CVE-2024-52287",
                                "security/cves/CVE-2024-47077",
                                "security/cves/CVE-2024-47070",