*: backport CVE-2022-46145 fix

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

website/docs/security/CVE-2022-46145.md

@@ -0,0 +1,19 @@
+# CVE-2022-46145
+
+## Unauthorized user creation and potential account takeover
+
+### Impact
+
+With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts
+
+### Patches
+
+authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used.
+
+### Workarounds
+
+A policy can be created and bound to the `default-user-settings-flow` flow with the following contents
+
+```python
+return request.user.is_authenticated
+```

website/sidebars.js

@@ -290,7 +290,7 @@ module.exports = {
                 title: "Security",
                 slug: "security",
             },
-            items: ["security/policy"],
+            items: ["security/policy", "security/CVE-2022-46145"],
         },
     ],
 };