security: fix CVE-2023-39522 (#6665)

* stages/email: don't disclose whether a user exists or not when recovering Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update website Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-08-29 19:07:49 +02:00
parent 87f65526e1
commit aa874dd92a
8 changed files with 116 additions and 4 deletions
--- a/website/docs/releases/2023/v2023.5.md
+++ b/website/docs/releases/2023/v2023.5.md
@ -152,6 +152,10 @@ image:

 -   \*: fix [CVE-2023-36456](../security/CVE-2023-36456), Reported by [@thijsa](https://github.com/thijsa)

+## Fixed in 2023.5.6
+
+-   \*: fix [CVE-2023-39522](../security/CVE-2023-39522), Reported by [@markrassamni](https://github.com/markrassamni)
+
 ## API Changes

 #### What's Changed
--- a/website/docs/releases/2023/v2023.6.md
+++ b/website/docs/releases/2023/v2023.6.md
@ -88,6 +88,10 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.6
 -   sources/ldap: fix more errors (#6191)
 -   sources/ldap: fix page size (#6187)

+## Fixed in 2023.6.2
+
+-   \*: fix [CVE-2023-39522](../security/CVE-2023-39522), Reported by [@markrassamni](https://github.com/markrassamni)
+
 ## API Changes

 #### What's New