Products
authentik
- 2014.2.4
- 2014.4.2
- 2014.6.0
Source
security-advisories@github.com
Tags
CVE-2024-37905 details
Published : June 28, 2024, 6:15 p.m.
Last Modified : June 28, 2024, 6:15 p.m.
Last Modified : June 28, 2024, 6:15 p.m.
Description
authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including resetting user passwords and more. This issue has been patched in version(s) 2024.2.4, 2024.4.2 and 2024.6.0.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8.8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-284 | Improper Access Control | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
8.8
Exploitability Score
2.8
Impact Score
5.9
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
| URL | Source |
|---|---|
| https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4 | security-advisories@github.com |
| https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3 | security-advisories@github.com |
| https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0 | security-advisories@github.com |
| https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4 | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.