* providers/oauth2: fix CVE-2024-21637 (#8104) Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update changelog Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>
This commit is contained in:
gcp-cherry-pick-bot[bot]
committed by
GitHub
GitHub
parent
1516fe86da
commit
d9aab79c62
@ -159,6 +159,14 @@ image:
|
||||
|
||||
- \*: fix [GHSA-rjvp-29xq-f62w](../security/GHSA-rjvp-29xq-f62w), Reported by [@devSparkle](https://github.com/devSparkle)
|
||||
|
||||
## Fixed in 2023.8.5
|
||||
|
||||
- security: fix [CVE-2023-48228](../../security/CVE-2023-48228.md), Reported by [@Sapd](https://github.com/Sapd) (#7666)
|
||||
|
||||
## Fixed in 2023.8.6
|
||||
|
||||
- providers/oauth2: fix [CVE-2024-21637](../../security/CVE-2024-21637.md), Reported by [@lauritzh](https://github.com/lauritzh) (#8104)
|
||||
|
||||
## API Changes
|
||||
|
||||
#### What's New
|
||||
|
||||
39
website/docs/security/CVE-2024-21637.md
Normal file
39
website/docs/security/CVE-2024-21637.md
Normal file
@ -0,0 +1,39 @@
|
||||
# CVE-2024-21637
|
||||
|
||||
_Reported by [@lauritzh](https://github.com/lauritzh)_
|
||||
|
||||
## XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode
|
||||
|
||||
### Summary
|
||||
|
||||
Given an OAuth2 provider configured with allowed redirect URIs set to `*` or `.*`, an attacker can send an OAuth Authorization request using `response_mode=form_post` and setting `redirect_uri` to a malicious URI, to capture authentik's session token.
|
||||
|
||||
### Patches
|
||||
|
||||
authentik 2023.8.6 and 2023.10.6 fix this issue.
|
||||
|
||||
### Impact
|
||||
|
||||
The impact depends on the attack scenario. In the following I will describe the two scenario that were identified for Authentik.
|
||||
|
||||
#### Redirect URI Misconfiguration
|
||||
|
||||
While advising that this may cause security issues, Authentik generally allows wildcards as Redirect URI. Therefore, using a wildcard-only effectively allowing arbitrary URLS is possible misconfiguration that may be present in real-world instances.
|
||||
|
||||
In such cases, unauthenticated and unprivileged attackers can perform the above described actions.
|
||||
|
||||
### User with (only) App Administration Permissions
|
||||
|
||||
A more likely scenario is an administrative user (e.g. a normal developer) having only permissions to manage applications.
|
||||
|
||||
This relatively user could use the described attacks to perform a privilege escalation.
|
||||
|
||||
### Workaround
|
||||
|
||||
It is recommended to upgrade to the patched version of authentik. If not possible, ensure that OAuth2 providers do not use a wildcard (`*` or `.*`) value as allowed redirect URI setting. (This is _not_ exploitable if part of the redirect URI has a wildcard, for example `https://foo-.*\.bar\.com`)
|
||||
|
||||
### For more information
|
||||
|
||||
If you have any questions or comments about this advisory:
|
||||
|
||||
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
|
||||
Reference in New Issue
Block a user