Authentik Fixes Issue with Token Requests
CVE-2023-48228

9.8CRITICAL

Key Information:

Vendor

goauthentik

Status
authentik
Vendor
CVE Published:
21 November 2023

What is CVE-2023-48228?

authentik, an open-source identity provider, suffers from a vulnerability in its OAuth2 flow implementation. When initiating an OAuth2 flow with a 'code_challenge' and 'code_method' (indicating a request for PKCE), the system improperly validates the 'code_verifier' during token requests. Specifically, if the 'code_verifier' is omitted, authentik erroneously accepts the token request despite the initial request requiring a match. This flaw potentially allows unauthorized access under certain conditions. The issue is addressed in authentik versions 2023.8.5 and 2023.10.4.

Affected Version(s)

authentik < 2023.10.4 < 2023.10.4

authentik < 2023.8.5 < 2023.8.5

References

https://github.com/goauthentik/authentik/security/advisor...
x_refsource_CONFIRM
https://github.com/goauthentik/authentik/pull/7666
x_refsource_MISC
https://github.com/goauthentik/authentik/pull/7668
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.