authentik

Author	SHA1	Message	Date
Norbert Takács	1932993b2c	website/docs: fix some broken links (#11742 ) * Update security-hardening.md broken links Signed-off-by: Norbert Takács <bokker11@hotmail.com> * Removed extra link Signed-off-by: Norbert Takács <bokker11@hotmail.com> * added space back Signed-off-by: Norbert Takács <bokker11@hotmail.com> * fix netlify redirects Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * use relative links Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> --------- Signed-off-by: Norbert Takács <bokker11@hotmail.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-10-21 09:54:14 -05:00
Tana M Berry	6d5172d18a	website: latest PR for new Docs structure (#11639 ) * first pass * dependency shenanigans * move blueprints * few broken links * change config the throw errors * internal file edits * fighting links * remove sidebarDev * fix subdomain Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix relative URL Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix mismatched package versions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix api reference build Signed-off-by: Jens Langhammer <jens@goauthentik.io> * test tweak * links hell * more links hell * links hell2 * yep last of the links * last broken link fixed * re-add cves Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add devdocs redirects * add dir * tweak netlify.toml * move latest 2 CVES into dir * fix links to moved cves * typoed title fix * fix link * remove banner * remove committed api docs Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * integrations: remove version dropdown Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update Makefile Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * change doc links in web as well Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix some more docs paths Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix more docs paths Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * ci: require ci-web.build for merging Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Revert "ci: require ci-web.build for merging" This reverts commit `b99a4842a9`. * remove sluf for Application * put slug back in * minor fix to trigger deploy * Spelled out Documentation in menu bar * remove image redirects... Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove explicit index.md Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove mdx first Signed-off-by: Jens Langhammer <jens@goauthentik.io> * then remove .md Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add missing prefix Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Tana M Berry <tana@goauthentik.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-10-09 09:33:40 -05:00
Tana M Berry	6b2fced1b9	Revert "website: latest migration to new structure" (#11634 ) Revert "website: latest migration to new structure (#11522)" This reverts commit `9a89a5f94b`.	2024-10-09 00:30:50 +02:00
Tana M Berry	9a89a5f94b	website: latest migration to new structure (#11522 ) * first pass * dependency shenanigans * move blueprints * few broken links * change config the throw errors * internal file edits * fighting links * remove sidebarDev * fix subdomain Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix relative URL Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix mismatched package versions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix api reference build Signed-off-by: Jens Langhammer <jens@goauthentik.io> * test tweak * links hell * more links hell * links hell2 * yep last of the links * last broken link fixed * re-add cves Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add devdocs redirects * add dir * tweak netlify.toml * move latest 2 CVES into dir * fix links to moved cves * typoed title fix * fix link * remove banner * remove committed api docs Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * integrations: remove version dropdown Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Update Makefile Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * change doc links in web as well Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix some more docs paths Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix more docs paths Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * ci: require ci-web.build for merging Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Revert "ci: require ci-web.build for merging" This reverts commit `b99a4842a9`. * remove sluf for Application * put slug back in * minor fix to trigger deploy --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Tana M Berry <tana@goauthentik.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-10-08 14:07:19 -05:00
Jens L.	ba28e6de41	security: fix CVE-2024-47070 (#11536 ) * security: fix CVE-2024-47070 Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Update website/docs/security/CVE-2024-47070.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>	2024-09-27 16:18:37 +02:00
Jens L.	97a36b6c4e	security: fix CVE-2024-47077 (#11535 ) Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-09-27 16:17:07 +02:00
Jens L.	3daf8f8db4	security: fix CVE-2024-42490 (#11022 ) CVE-2024-42490 Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-08-22 17:17:06 +02:00
Davide	7fee9fd868	website/docs: fix formatting on CVE-2024-23647 (#10955 ) Update CVE-2024-23647.md Formatting errors fixed Signed-off-by: Davide <69810644+ItzDavi@users.noreply.github.com>	2024-08-19 14:06:44 +02:00
Marc 'risson' Schmitt	322ae4c4ed	website/docs: add source property mappings, rework provider property mappings (#10652 )	2024-08-07 19:30:29 +00:00
Jens L	cc18f352aa	security: fix CVE-2024-37905 (#10230 ) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-06-26 12:07:44 +02:00
Jens L	422eb0890c	security: fix CVE-2024-38371 (#10229 )	2024-06-26 11:24:05 +02:00
Fletcher Heisler	09cacbd76b	website/docs: add hardening advice and link directly to Cure53 results (#9670 ) docs: add hardening advice and link directly to Cure53 results Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com>	2024-05-10 09:07:19 -04:00
Tana M Berry	85594a119c	website/docs: add new doc about extra steps for hardening authentik (#9649 ) * add to sidebar * tweaks * tweaks * add derek edit * ken edit * Update website/docs/security/security-hardening.md Co-authored-by: Jens L. <jens@goauthentik.io> Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * tweaks --------- Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Tana M Berry <tana@goauthentik.com> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-05-09 10:02:51 -05:00
Jens L	1db322b42f	security: fix CVE-2024-23647 (#8345 ) * security: fix CVE-2024-23647 Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add website Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-01-29 17:40:24 +01:00
Jens L	6649f7ab72	providers/oauth2: fix CVE-2024-21637 (#8104 ) Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-01-09 18:14:12 +01:00
Tana M Berry	f2aa83a731	root: update security policy to include link to cure53 report (#7853 ) * add links to the cure53 audit results * fix link * link * fighting with Docu * removed link for now * use absolute link --------- Co-authored-by: Tana Berry <tana@goauthentik.io>	2023-12-11 15:26:36 -06:00
Jens L	b88e39411c	security: fix CVE-2023-48228 (#7666 ) Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-11-21 18:10:07 +01:00
Jens L	261879022d	security: fix oobe-flow reuse when akadmin is deleted (#7361 ) Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-10-28 21:24:06 +02:00
Jens L	aa874dd92a	security: fix CVE-2023-39522 (#6665 ) * stages/email: don't disclose whether a user exists or not when recovering Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update website Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-08-29 19:07:49 +02:00
Jens L	d22d147c8e	security: fix CVE-2023-36456 (#6171 ) Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-07-06 18:16:26 +02:00
Jens L	b0fbd576fc	security: cure53 fix (#6039 ) * ATH-01-001: resolve path and check start before loading blueprints This is even less of an issue since `411ef239f6`, since with that commit we only allow files that the listing returns Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-010: fix missing user filter for webauthn device This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it. * ATH-01-008: fix web forms not submitting correctly when pressing enter When submitting some forms with the Enter key instead of clicking "Confirm"/etc, the form would not get submitted correctly This would in the worst case is when setting a user's password, where the new password can end up in the URL, but the password was not actually saved to the user. * ATH-01-004: remove env from admin system endpoint this endpoint already required admin access, but for debugging the env variables are used very little Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-003 / ATH-01-012: disable htmlLabels in mermaid Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-005: use hmac.compare_digest for secret_key authentication Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-009: migrate impersonation to use API Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-010: rework Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-014: save authenticator validation state in flow context Signed-off-by: Jens Langhammer <jens@goauthentik.io> bugfixes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-012: escape quotation marks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add website Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update release ntoes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update with all notes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-06-22 22:25:04 +02:00
Jens L	972dce1462	security: fix CVE-2023-26481 (#4832 ) fix CVE-2023-26481 Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-03-02 20:15:33 +01:00
Jens Langhammer	7046944bf6	website: link CVE and attribute reporter Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-25 14:17:17 +01:00
Jens L	9f846d94be	security: fix CVE 2022 23555 (#4274 ) * add flow to invitation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * show warning on invitation page Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add security advisory Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-23 14:13:49 +01:00
Jens L	84fbeb5721	security: fix CVE 2022 46172 (#4275 ) * fallback to current user in user_write, add flag to disable user creation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update api and web ui Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update default flows Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add cve post to website Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-23 14:12:58 +01:00
Jens L	db95dfe38d	security: fix CVE 2022 46145 (#4140 ) * add flow authentication requirement Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add website for cve Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * flows: handle FlowNonApplicableException without policy result Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-02 16:14:25 +01:00
Jens Langhammer	147ebf1a5e	root: rework and expand security policy Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-28 12:10:53 +01:00

27 Commits