security: fix CVE-2024-47070 (#11536)

* security: fix CVE-2024-47070 Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Update website/docs/security/CVE-2024-47070.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
2024-09-27 16:18:37 +02:00
parent 97a36b6c4e
commit ba28e6de41
6 changed files with 72 additions and 7 deletions
--- a/website/docs/security/CVE-2024-42490.md
+++ b/website/docs/security/CVE-2024-42490.md
@ -2,7 +2,7 @@

 _Reported by [@m2a2](https://github.com/m2a2)_

-## Improper Authorization for Token modification
+## Insufficient Authorization for several API endpoints

 ### Summary

--- a/website/docs/security/CVE-2024-47070.md
+++ b/website/docs/security/CVE-2024-47070.md
@ -0,0 +1,35 @@
+# CVE-2024-47070
+
+_Reported by [@efpi-bot](https://github.com/efpi-bot) from [LogicalTrust](https://logicaltrust.net/en/)_
+
+## Password authentication bypass via X-Forwarded-For HTTP header
+
+### Summary
+
+The vulnerability allows bypassing policies by adding X-Forwarded-For header with unparsable IP address, e.g. "a". This results in a possibility to authenticate/authorize to any account with known login or email address.
+
+Since the default authentication flow uses a policy to enable the password stage only when there is no password stage selected on the Identification stage, this vulnerability can be used to skip this policy and continue without the password stage.
+
+### Am I affected
+
+This can be exploited for the following configurations:
+
+-   An attacker can access authentik without a reverse proxy (and `AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS` is not configured properly)
+-   The reverse proxy configuration does not correctly overwrite X-Forwarded-For
+-   Policies (User and group bindings do _not_ apply) are bound to authentication/authorization flows
+
+### Patches
+
+authentik 2024.6.5 and 2024.8.3 fix this issue.
+
+### Workarounds
+
+Ensure the X-Forwarded-For header is always set by the reverse proxy, and is always set to a correct IP.
+
+In addition you can manually change the _Failure result_ option on policy bindings to _Pass_, which will prevent any stages from being skipped if a malicious request is received.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
--- a/website/sidebars.js
+++ b/website/sidebars.js
@ -522,6 +522,7 @@ const docsSidebar = {
                "security/security-hardening",
                "security/policy",
                "security/CVE-2024-47077",
+                "security/CVE-2024-47070",
                "security/CVE-2024-42490",
                "security/CVE-2024-38371",
                "security/CVE-2024-37905",