Current Description

authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. This issue is patched in authentik 2022.11.4,2022.10.4 and 2022.12.0. Only configurations that use invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow. As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows.

View Analysis Description

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  8.8 HIGH

Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CNA:  GitHub, Inc.

Base Score:  9.4 CRITICAL

Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h	Exploit  Third Party Advisory
https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h	Exploit  Third Party Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-287	Improper Authentication	NIST   GitHub, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

CVE Modified by CVE 11/21/2024 1:48:48 AM

Action	Type	Old Value	New Value
Added	Reference		https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h

CVE Modified by GitHub, Inc. 5/14/2024 6:19:36 AM

Action	Type	Old Value	New Value

CVE Modified by GitHub, Inc. 11/06/2023 10:44:13 PM

Action	Type	Old Value	New Value
Changed	Description	Record truncated, showing 500 of 1506 characters. View Entire Change Record authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute	Record truncated, showing 500 of 1507 characters. View Entire Change Record authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute

Initial Analysis by NIST 1/06/2023 1:50:46 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		NIST AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Added	CWE		NIST CWE-287
Added	CPE Configuration		OR *cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* versions up to (excluding) 2022.10.4 *cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* versions from (including) 2022.11.0 up to (excluding) 2022.11.4
Changed	Reference Type	https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h No Types Assigned	https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h Exploit, Third Party Advisory