security: fix CVE-2023-39522 (#6665)

* stages/email: don't disclose whether a user exists or not when recovering

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update website

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

website/docs/releases/2023/v2023.5.md

@@ -152,6 +152,10 @@ image:
 
 -   \*: fix [CVE-2023-36456](../security/CVE-2023-36456), Reported by [@thijsa](https://github.com/thijsa)
 
+## Fixed in 2023.5.6
+
+-   \*: fix [CVE-2023-39522](../security/CVE-2023-39522), Reported by [@markrassamni](https://github.com/markrassamni)
+
 ## API Changes
 
 #### What's Changed

website/docs/releases/2023/v2023.6.md

@@ -88,6 +88,10 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.6
 -   sources/ldap: fix more errors (#6191)
 -   sources/ldap: fix page size (#6187)
 
+## Fixed in 2023.6.2
+
+-   \*: fix [CVE-2023-39522](../security/CVE-2023-39522), Reported by [@markrassamni](https://github.com/markrassamni)
+
 ## API Changes
 
 #### What's New

website/docs/security/CVE-2023-39522.md

@@ -0,0 +1,27 @@
+# CVE-2023-39522
+
+_Reported by [@markrassamni](https://github.com/markrassamni)_
+
+## Username enumeration attack
+
+### Summary
+
+Using a recovery flow with an identification stage an attacker is able to determine if a username exists.
+
+### Patches
+
+authentik 2023.5.6 and 2023.6.2 fix this issue.
+
+### Impact
+
+Only setups configured with a recovery flow are impacted by this.
+
+### Details
+
+An attacker can easily enumerate and check users' existence using the recovery flow, as a clear message is shown when a user doesn't exist. Depending on configuration this can either be done by username, email, or both.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)