Vulnerability identifier: #VU83292

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23555

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
authentik
Other software / Other software solutions

Vendor: Authentik Security Inc

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. A remote attacker can that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

authentik: 2022.10.0 - 2022.11.3

---

External links
http://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.