security: fix CVE 2022 46145 (#4140)

* add flow authentication requirement

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add website for cve

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* flows: handle FlowNonApplicableException without policy result

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add release notes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

website/docs/releases/v2022.10.md

@@ -3802,6 +3802,10 @@ Changed response : **200 OK**
 -   sources/saml: set username field to name_id attribute
 -   web/common: disable API Drawer by default in user interface
 
+## Fixed in 2022.10.2
+
+-   \*: fix CVE-2022-46145
+
 ## Upgrading
 
 This release does not introduce any new requirements.

website/docs/releases/v2022.11.md

@@ -71,6 +71,10 @@ image:
 -   web/admin: fix error when importing duo devices
 -   web/admin: reset cookie_domain when setting non-domain forward auth
 
+## Fixed in 2022.11.2
+
+-   \*: fix CVE-2022-46145
+
 ## API Changes
 
 #### What's Changed

website/docs/security/CVE-2022-46145.md

@@ -0,0 +1,19 @@
+# CVE-2022-46145
+
+## Unauthorized user creation and potential account takeover
+
+### Impact
+
+With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts
+
+### Patches
+
+authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used.
+
+### Workarounds
+
+A policy can be created and bound to the `default-user-settings-flow` flow with the following contents
+
+```python
+return request.user.is_authenticated
+```