CVE-2024-23647

Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a	Patch
https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:goauthentik:authentik::::::::
	cpe:2.3:a:goauthentik:authentik::::::::

History

06 Feb 2024, 18:22

Type	Values Removed	Values Added
References	~~() https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a -~~	() https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a - Patch
References	~~() https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj -~~	() https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj - Third Party Advisory
First Time		Goauthentik Goauthentik authentik
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:goauthentik:authentik::::::::

30 Jan 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-30 17:15

Updated : 2024-02-06 18:22

NVD link : CVE-2024-23647

Mitre link : CVE-2024-23647

CVE.ORG link : CVE-2024-23647

JSON object : View

Products Affected

goauthentik

authentik

CWE

CWE-287

Improper Authentication

{"id": "CVE-2024-23647", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-01-30T17:15:10.913", "references": [{"url": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue."}, {"lang": "es", "value": "Authentik es un proveedor de identidades de c\u00f3digo abierto. Hay un error en nuestra implementaci\u00f3n de PKCE que permite a un atacante eludir la protecci\u00f3n que ofrece PKCE. PKCE agrega el par\u00e1metro code_challenge a la solicitud de autorizaci\u00f3n y agrega el par\u00e1metro code_verifier a la solicitud de token. Antes de 2023.8.7 y 2023.10.7, es posible un escenario de degradaci\u00f3n: si el atacante elimina el par\u00e1metro code_challenge de la solicitud de autorizaci\u00f3n, authentik no realizar\u00e1 la verificaci\u00f3n PKCE. Debido a este error, un atacante puede eludir la protecci\u00f3n que ofrece PKCE, como los ataques CSRF y los ataques de inyecci\u00f3n de c\u00f3digo. Las versiones 2023.8.7 y 2023.10.7 solucionan el problema."}], "lastModified": "2024-02-06T18:22:58.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "026E19BC-D2BB-4B89-916F-565B498F0C87", "versionEndExcluding": "2023.8.7"}, {"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6E579B4B-ACB8-4917-915B-D0FB5FC17F64", "versionEndExcluding": "2023.10.7", "versionStartIncluding": "2023.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}