CVE-2024-52287

Nov. 21, 2024, 6:15 p.m.

None
No Score

Description

authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue.

Product(s) Impacted

Product Versions
authentik
  • 2024.8.5
  • 2024.10.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-285
Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/goauthentik/authentik/commit/e9c29e1644e9199b4ba58d2b10eb8c322138eea2
https://github.com/goauthentik/authentik/security/advisories/GHSA-v6m7-8j37-8f4v

Tags

security-advisories@github.com
CWE-285
2024-11-21
CVE-2024-52287

Timeline

Published: Nov. 21, 2024, 6:15 p.m.
Last Modified: Nov. 21, 2024, 6:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.