security: fix CVE 2022 46145 (#4140)

* add flow authentication requirement

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add website for cve

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* flows: handle FlowNonApplicableException without policy result

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add release notes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

website/docs/releases/v2022.10.md

@@ -3802,6 +3802,10 @@ Changed response : **200 OK**
 -   sources/saml: set username field to name_id attribute
 -   web/common: disable API Drawer by default in user interface
 
+## Fixed in 2022.10.2
+
+-   \*: fix CVE-2022-46145
+
 ## Upgrading
 
 This release does not introduce any new requirements.

website/docs/releases/v2022.11.md

@@ -71,6 +71,10 @@ image:
 -   web/admin: fix error when importing duo devices
 -   web/admin: reset cookie_domain when setting non-domain forward auth
 
+## Fixed in 2022.11.2
+
+-   \*: fix CVE-2022-46145
+
 ## API Changes
 
 #### What's Changed