Authentik lacks Proxy IP headers validation
CVE-2023-36456

8.3HIGH

Key Information:

Vendor

Goauthentik

Status
Authentik
Vendor
CVE Published:
6 July 2023

What is CVE-2023-36456?

The authentik Identity Provider prior to versions 2023.4.3 and 2023.5.5 is susceptible to a vulnerability due to the lack of verification for the X-Forwarded-For and X-Real-IP headers. This exposes systems directly accessible by users to risks including spoofing of IP addresses in logs and downstream applications, potentially allowing attackers to bypass security checks dependent on IP verification. This compromise undermines the reliability of session logs and may affect the integrity of security policies, particularly in scenarios where user IP addresses dictate authentication flows. Versions 2023.4.3 and 2023.5.5 include patches that address this issue.

Affected Version(s)

authentik < 2023.4.3 < 2023.4.3

authentik >= 2023.5.0, < 2023.5.5 < 2023.5.0, 2023.5.5

References

https://github.com/goauthentik/authentik/security/advisor...
x_refsource_CONFIRM
https://github.com/goauthentik/authentik/commit/15026748d...
x_refsource_MISC
https://github.com/goauthentik/authentik/commit/c07a48a3e...
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.