Описание
authentik is an open-source identity provider. When initialising a oauth2 flow with a code_challenge and code_method (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing code_verifier during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of code_verifier is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a code_challenge. authentik 2023.8.5 and 2023.10.4 fix this issue.
Ссылки
- Product
- Patch
- Patch
- Patch
- Patch
- Patch
- Patch
- Release Notes
- Release Notes
- ExploitVendor Advisory
- Product
- Patch
- Patch
- Patch
- Patch
- Patch
- Patch
- Release Notes
- Release Notes
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2023.8.5 (исключая)Версия от 2023.10.0 (включая) до 2023.10.4 (исключая)
Одно из
cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*
cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*
EPSS
Процентиль: 75%
0.00884
Низкий
7.5 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-287
EPSS
Процентиль: 75%
0.00884
Низкий
7.5 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-287