SB2022122329 - Multiple vulnerabilities in authentik

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2022-23555)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. A remote attacker can that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used.

2) Improper access control (CVE-ID: CVE-2022-46172)

The vulnerability allows a remote user to create arbitrary accounts.

The vulnerability exists due to improper access control in the default-user-settings-flow endpoint when handling requests to execute the user settings flow. A remote user can send a request to the flow execution endpoint to create arbitrary accounts.

Exploitation requires an existing authenticated user session and does not work for unauthenticated requests.

Remediation

Install update from vendor's website.

References

• https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h
• https://github.com/goauthentik/authentik/security/advisories/GHSA-hv8r-6w7p-mpc5