3996bdac33
* website: Bump prettier from 3.3.3 to 3.4.1 in /website Bumps [prettier](https://github.com/prettier/prettier) from 3.3.3 to 3.4.1. - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.3.3...3.4.1) --- updated-dependencies: - dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * update formatting Signed-off-by: Jens Langhammer <jens@goauthentik.io> * sigh Signed-off-by: Jens Langhammer <jens@goauthentik.io> * disable flaky test Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
40 lines
1.7 KiB
Markdown
40 lines
1.7 KiB
Markdown
# CVE-2024-21637
|
|
|
|
_Reported by [@lauritzh](https://github.com/lauritzh)_
|
|
|
|
## XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode
|
|
|
|
### Summary
|
|
|
|
Given an OAuth2 provider configured with allowed redirect URIs set to `*` or `.*`, an attacker can send an OAuth Authorization request using `response_mode=form_post` and setting `redirect_uri` to a malicious URI, to capture authentik's session token.
|
|
|
|
### Patches
|
|
|
|
authentik 2023.8.6 and 2023.10.6 fix this issue.
|
|
|
|
### Impact
|
|
|
|
The impact depends on the attack scenario. In the following I will describe the two scenario that were identified for Authentik.
|
|
|
|
#### Redirect URI Misconfiguration
|
|
|
|
While advising that this may cause security issues, Authentik generally allows wildcards as Redirect URI. Therefore, using a wildcard-only effectively allowing arbitrary URLS is possible misconfiguration that may be present in real-world instances.
|
|
|
|
In such cases, unauthenticated and unprivileged attackers can perform the above described actions.
|
|
|
|
### User with (only) App Administration Permissions
|
|
|
|
A more likely scenario is an administrative user (e.g. a normal developer) having only permissions to manage applications.
|
|
|
|
This relatively user could use the described attacks to perform a privilege escalation.
|
|
|
|
### Workaround
|
|
|
|
It is recommended to upgrade to the patched version of authentik. If not possible, ensure that OAuth2 providers do not use a wildcard (`*` or `.*`) value as allowed redirect URI setting. (This is _not_ exploitable if part of the redirect URI has a wildcard, for example `https://foo-.*\.bar\.com`)
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
|