habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f23965a55ea1b56ebb919499d1afab38f67e080e
authentik/website/docs/security/cves/CVE-2024-21637.md
dependabot[bot] 3996bdac33 website: Bump prettier from 3.3.3 to 3.4.1 in /website (#12205) 
* website: Bump prettier from 3.3.3 to 3.4.1 in /website

Bumps [prettier](https://github.com/prettier/prettier) from 3.3.3 to 3.4.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.3.3...3.4.1)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update formatting

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* sigh

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* disable flaky test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2024-11-27 15:14:19 +01:00

1.7 KiB
Raw Blame History

CVE-2024-21637

Reported by @lauritzh

XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode

Summary

Given an OAuth2 provider configured with allowed redirect URIs set to * or .*, an attacker can send an OAuth Authorization request using response_mode=form_post and setting redirect_uri to a malicious URI, to capture authentik's session token.

Patches

authentik 2023.8.6 and 2023.10.6 fix this issue.

Impact

The impact depends on the attack scenario. In the following I will describe the two scenario that were identified for Authentik.

Redirect URI Misconfiguration

While advising that this may cause security issues, Authentik generally allows wildcards as Redirect URI. Therefore, using a wildcard-only effectively allowing arbitrary URLS is possible misconfiguration that may be present in real-world instances.

In such cases, unauthenticated and unprivileged attackers can perform the above described actions.

User with (only) App Administration Permissions

A more likely scenario is an administrative user (e.g. a normal developer) having only permissions to manage applications.

This relatively user could use the described attacks to perform a privilege escalation.

Workaround

It is recommended to upgrade to the patched version of authentik. If not possible, ensure that OAuth2 providers do not use a wildcard (* or .*) value as allowed redirect URI setting. (This is not exploitable if part of the redirect URI has a wildcard, for example https://foo-.*\.bar\.com)

For more information

If you have any questions or comments about this advisory: