CVE-2024-37905

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including resetting user passwords and more. This issue has been patched in version(s) 2024.2.4, 2024.4.2 and 2024.6.0.
Configurations

No configuration.

History

21 Nov 2024, 09:24

Type Values Removed Values Added
References () https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4 - () https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4 -
References () https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3 - () https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3 -
References () https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0 - () https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0 -
References () https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4 - () https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4 -

01 Jul 2024, 12:37

Type Values Removed Values Added
Summary
  • (es) authentik es un proveedor de identidades de código abierto que enfatiza la flexibilidad y la versatilidad. El mecanismo Authentik API-Access-Token se puede explotar para obtener privilegios de usuario administrador. Una explotación exitosa del problema dará como resultado que un usuario obtenga acceso de administrador completo a la aplicación Authentik, incluido el restablecimiento de contraseñas de usuario y más. Este problema se solucionó en las versiones 2024.2.4, 2024.4.2 y 2024.6.0.

28 Jun 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-28 18:15

Updated : 2024-11-21 09:24


NVD link : CVE-2024-37905

Mitre link : CVE-2024-37905

CVE.ORG link : CVE-2024-37905


JSON object : View

Products Affected

No product.

CWE
CWE-284

Improper Access Control

CWE-863

Incorrect Authorization