57a31b5dd1
security: fix CVE-2024-47077 (#11535) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>
26 lines
1.0 KiB
Markdown
26 lines
1.0 KiB
Markdown
# CVE-2024-47077
|
|
|
|
_Reported by [@quentinmit](https://github.com/quentinmit)_
|
|
|
|
## Insufficient cross-provider token validation during introspection
|
|
|
|
### Summary
|
|
|
|
Access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access.
|
|
|
|
### Details
|
|
|
|
The proxy provider uses `/application/o/introspect/` to validate bearer tokens provided in the `Authorization` header:
|
|
|
|
The implementation of this endpoint separately validates the `client_id` and `client_secret` (which are that of the proxy provider) and the `token` without validating that they correspond to the same provider.
|
|
|
|
### Patches
|
|
|
|
authentik 2024.6.5 and 2024.8.3 fix this issue.
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
|