authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. `a`. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the authentik instance to trust X-Forwarded-For header provided by the attacker, thus it is not reproducible from external hosts on a properly configured environment. The issue occurs due to the password stage having a policy bound to it, which skips the password stage if the Identification stage is setup to also contain a password stage. Due to the invalid X-Forwarded-For header, which does not get validated to be an IP Address early enough, the exception happens later and the policy fails. The default blueprint doesn't correctly set `failure_result` to `True` on the policy binding meaning that due to this exception the policy returns false and the password stage is skipped. Versions 2024.8.3 and 2024.6.5 fix this issue.
Metrics
Affected Vendors & Products
References
History
Fri, 27 Sep 2024 18:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Goauthentik
Goauthentik authentik |
|
CPEs | cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* | |
Vendors & Products |
Goauthentik
Goauthentik authentik |
|
Metrics |
ssvc
|
Fri, 27 Sep 2024 15:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Title | Password authentication bypass via X-Forwarded-For HTTP header | authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header |
Fri, 27 Sep 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. `a`. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the authentik instance to trust X-Forwarded-For header provided by the attacker, thus it is not reproducible from external hosts on a properly configured environment. The issue occurs due to the password stage having a policy bound to it, which skips the password stage if the Identification stage is setup to also contain a password stage. Due to the invalid X-Forwarded-For header, which does not get validated to be an IP Address early enough, the exception happens later and the policy fails. The default blueprint doesn't correctly set `failure_result` to `True` on the policy binding meaning that due to this exception the policy returns false and the password stage is skipped. Versions 2024.8.3 and 2024.6.5 fix this issue. | |
Title | Password authentication bypass via X-Forwarded-For HTTP header | |
Weaknesses | CWE-287 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-09-27T15:18:03.999Z
Updated: 2024-09-27T17:55:55.382Z
Reserved: 2024-09-17T17:42:37.029Z
Link: CVE-2024-47070
Vulnrichment
Updated: 2024-09-27T17:55:51.025Z
NVD
Status : Awaiting Analysis
Published: 2024-09-27T16:15:05.413
Modified: 2024-09-30T12:45:57.823
Link: CVE-2024-47070
Redhat
No data.