SB20240626100 - Multiple vulnerabilities in authentik

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authorization (CVE-ID: CVE-2024-38371)

The vulnerability allows a remote attacker to obtain OAuth tokens for an application and access the application.

The vulnerability exists due to improper authorization in the OAuth2 Device Code flow when processing device code authorization requests. A remote attacker can obtain tokens for an application without the correct authorization to obtain OAuth tokens for an application and access the application.

2) Incorrect authorization (CVE-ID: CVE-2024-37905)

The vulnerability allows a remote user to escalate privileges to superuser.

The vulnerability exists due to incorrect authorization in the API token management endpoint when handling token modification requests. A remote user can create an API token and change the user the token belongs to to escalate privileges to superuser.

The modified token inherits the API access of the higher-privileged user, which can enable password changes for that user or malicious configuration changes.

Remediation

Install update from vendor's website.

References

• https://github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45
• https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4