SB2024112180 - Multiple vulnerabilities in authentik

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024112180

SB2024112180 - Multiple vulnerabilities in authentik

Published: November 21, 2024 Updated: April 23, 2026

Security Bulletin ID SB2024112180
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 33% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2024-52307)

The vulnerability allows a remote attacker to disclose sensitive information and modify data.

The vulnerability exists due to observable timing discrepancy in the /-/metrics/ endpoint when comparing authentication data. A remote attacker can send repeated requests to brute-force the SECRET_KEY to disclose sensitive information and modify data.

The issue can enable signing new cookies or modifying existing cookies after recovering the SECRET_KEY.


2) Incorrect Regular Expression (CVE-ID: CVE-2024-52289)

The vulnerability allows a remote attacker to redirect OAuth2 flows to an attacker-controlled domain.

The vulnerability exists due to incorrect regular expression handling in the OAuth2 provider redirect URI validation when processing redirect_uri values. A remote attacker can register a crafted domain or supply a specially crafted redirect URI to redirect OAuth2 flows to an attacker-controlled domain.

When no redirect URIs are configured, the first received redirect_uri value is automatically accepted without escaping regular expression metacharacters.


3) Improper Authorization (CVE-ID: CVE-2024-52287)

The vulnerability allows a remote user to perform unauthorized actions in another system that trusts tokens signed by authentik.

The vulnerability exists due to improper authorization in OAuth scope validation for the client_credentials and device_code grants when issuing OAuth tokens. A remote privileged user can request or obtain a token with scopes not configured in authentik to perform unauthorized actions in another system that trusts tokens signed by authentik.

Exploitation requires valid OAuth2 client credentials and knowledge of a trusting downstream system and the scopes it checks for.


Remediation

Install update from vendor's website.

References