authentik

Author	SHA1	Message	Date
Jens L	cc18f352aa	security: fix CVE-2024-37905 (#10230 ) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-06-26 12:07:44 +02:00
Jens L	422eb0890c	security: fix CVE-2024-38371 (#10229 )	2024-06-26 11:24:05 +02:00
Fletcher Heisler	09cacbd76b	website/docs: add hardening advice and link directly to Cure53 results (#9670 ) docs: add hardening advice and link directly to Cure53 results Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com>	2024-05-10 09:07:19 -04:00
Tana M Berry	85594a119c	website/docs: add new doc about extra steps for hardening authentik (#9649 ) * add to sidebar * tweaks * tweaks * add derek edit * ken edit * Update website/docs/security/security-hardening.md Co-authored-by: Jens L. <jens@goauthentik.io> Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * tweaks --------- Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Tana M Berry <tana@goauthentik.com> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-05-09 10:02:51 -05:00
Jens L	1db322b42f	security: fix CVE-2024-23647 (#8345 ) * security: fix CVE-2024-23647 Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add website Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-01-29 17:40:24 +01:00
Jens L	6649f7ab72	providers/oauth2: fix CVE-2024-21637 (#8104 ) Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2024-01-09 18:14:12 +01:00
Tana M Berry	f2aa83a731	root: update security policy to include link to cure53 report (#7853 ) * add links to the cure53 audit results * fix link * link * fighting with Docu * removed link for now * use absolute link --------- Co-authored-by: Tana Berry <tana@goauthentik.io>	2023-12-11 15:26:36 -06:00
Jens L	b88e39411c	security: fix CVE-2023-48228 (#7666 ) Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-11-21 18:10:07 +01:00
Jens L	261879022d	security: fix oobe-flow reuse when akadmin is deleted (#7361 ) Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-10-28 21:24:06 +02:00
Jens L	aa874dd92a	security: fix CVE-2023-39522 (#6665 ) * stages/email: don't disclose whether a user exists or not when recovering Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update website Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-08-29 19:07:49 +02:00
Jens L	d22d147c8e	security: fix CVE-2023-36456 (#6171 ) Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-07-06 18:16:26 +02:00
Jens L	b0fbd576fc	security: cure53 fix (#6039 ) * ATH-01-001: resolve path and check start before loading blueprints This is even less of an issue since `411ef239f6`, since with that commit we only allow files that the listing returns Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-010: fix missing user filter for webauthn device This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it. * ATH-01-008: fix web forms not submitting correctly when pressing enter When submitting some forms with the Enter key instead of clicking "Confirm"/etc, the form would not get submitted correctly This would in the worst case is when setting a user's password, where the new password can end up in the URL, but the password was not actually saved to the user. * ATH-01-004: remove env from admin system endpoint this endpoint already required admin access, but for debugging the env variables are used very little Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-003 / ATH-01-012: disable htmlLabels in mermaid Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-005: use hmac.compare_digest for secret_key authentication Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-009: migrate impersonation to use API Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-010: rework Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-014: save authenticator validation state in flow context Signed-off-by: Jens Langhammer <jens@goauthentik.io> bugfixes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-012: escape quotation marks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add website Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update release ntoes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update with all notes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-06-22 22:25:04 +02:00
Jens L	972dce1462	security: fix CVE-2023-26481 (#4832 ) fix CVE-2023-26481 Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-03-02 20:15:33 +01:00
Jens Langhammer	7046944bf6	website: link CVE and attribute reporter Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-25 14:17:17 +01:00
Jens L	9f846d94be	security: fix CVE 2022 23555 (#4274 ) * add flow to invitation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * show warning on invitation page Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add security advisory Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-23 14:13:49 +01:00
Jens L	84fbeb5721	security: fix CVE 2022 46172 (#4275 ) * fallback to current user in user_write, add flag to disable user creation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update api and web ui Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update default flows Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add cve post to website Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-23 14:12:58 +01:00
Jens L	db95dfe38d	security: fix CVE 2022 46145 (#4140 ) * add flow authentication requirement Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add website for cve Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * flows: handle FlowNonApplicableException without policy result Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-02 16:14:25 +01:00
Jens Langhammer	147ebf1a5e	root: rework and expand security policy Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-28 12:10:53 +01:00

18 Commits