{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-23555", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-01-19T21:23:53.802Z", "datePublished": "2022-12-28T00:12:35.912Z", "dateUpdated": "2025-04-11T15:48:20.256Z"}, "containers": {"cna": {"title": "authentik vulnerable to Improper Authentication via invitation URL token reuse", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h"}], "affected": [{"vendor": "goauthentik", "product": "authentik", "versions": [{"version": ">= 2022.11.0, < 2022.11.4", "status": "affected"}, {"version": " < 2022.10.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-28T00:12:35.912Z"}, "descriptions": [{"lang": "en", "value": "authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. This issue is patched in authentik 2022.11.4,2022.10.4 and 2022.12.0. Only configurations that use invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow.  As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows."}], "source": {"advisory": "GHSA-9qwp-jf7p-vr7h", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.477Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-11T15:48:09.495994Z", "id": "CVE-2022-23555", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T15:48:20.256Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h", "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.477Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-23555", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-11T15:48:09.495994Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T15:48:15.488Z"}}], "cna": {"title": "authentik vulnerable to Improper Authentication via invitation URL token reuse", "source": {"advisory": "GHSA-9qwp-jf7p-vr7h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "goauthentik", "product": "authentik", "versions": [{"status": "affected", "version": ">= 2022.11.0, < 2022.11.4"}, {"status": "affected", "version": " < 2022.10.4"}]}], "references": [{"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h", "name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. This issue is patched in authentik 2022.11.4,2022.10.4 and 2022.12.0. Only configurations that use invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow.  As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-28T00:12:35.912Z"}}}, "cveMetadata": {"cveId": "CVE-2022-23555", "state": "PUBLISHED", "dateUpdated": "2025-04-11T15:48:20.256Z", "dateReserved": "2022-01-19T21:23:53.802Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-12-28T00:12:35.912Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "matchCriteriaId": "12A5674E-2BD7-4C86-9748-0080DC1D8DE3", "versionEndExcluding": "2022.10.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F1325E1-8B8D-4E34-A443-646C43280671", "versionEndExcluding": "2022.11.4", "versionStartIncluding": "2022.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. This issue is patched in authentik 2022.11.4,2022.10.4 and 2022.12.0. Only configurations that use invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow.  As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows."}, {"lang": "es", "value": "authentik es un proveedor de identidades de c\u00f3digo abierto centrado en la flexibilidad y la versatilidad. Las versiones anteriores a 2022.11.4 y 2022.10.4 son vulnerables a una autenticaci\u00f3n incorrecta. La reutilizaci\u00f3n de tokens en las URL de invitaci\u00f3n conduce a eludir el control de acceso mediante el uso de un flujo de inscripci\u00f3n diferente al proporcionado. La vulnerabilidad permite a un atacante que conoce diferentes nombres de flujos de invitaci\u00f3n (por ejemplo, `inscripci\u00f3n-invitaci\u00f3n-prueba` y `inscripci\u00f3n-invitaci\u00f3n-admin`) a trav\u00e9s de diferentes enlaces de invitaci\u00f3n o mediante fuerza bruta registrarse a trav\u00e9s de una \u00fanica URL de invitaci\u00f3n para cualquier enlace de invitaci\u00f3n v\u00e1lido recibido (incluso puede ser una URL para un tercer flujo siempre que sea una invitaci\u00f3n v\u00e1lida), ya que el token utilizado en la secci\u00f3n \"Invitaciones\" de la interfaz de administraci\u00f3n NO cambia cuando se selecciona un \"flujo de inscripci\u00f3n\" diferente a trav\u00e9s de la interfaz y NO est\u00e1 vinculado al flujo seleccionado, por lo que ser\u00e1 v\u00e1lido para cualquier flujo cuando se utilice. Este problema se solucion\u00f3 en authentik 2022.11.4,2022.10.4 y 2022.12.0. Solo se ven afectadas las configuraciones que usan invitaciones y tienen m\u00faltiples flujos de inscripci\u00f3n con etapas de invitaci\u00f3n que otorgan diferentes permisos. La configuraci\u00f3n predeterminada no es vulnerable, como tampoco lo son las configuraciones con un \u00fanico flujo de inscripci\u00f3n. Como workaround, se pueden agregar datos fijos a las invitaciones que se pueden verificar en el flujo para rechazar solicitudes. Alternativamente, se puede utilizar un identificador con alta entrop\u00eda (como un UUID) como flow  slug, mitigando el vector de ataque al disminuir exponencialmente la posibilidad de descubrir otros flujos."}], "id": "CVE-2022-23555", "lastModified": "2024-11-21T06:48:48.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-28T01:15:10.133", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}