OAuth2 Device Code Flow Vulnerability
CVE-2024-38371

8.6HIGH

Key Information:

Vendor

Goauthentik

Status
Authentik
Vendor
CVE Published:
28 June 2024

What is CVE-2024-38371?

A vulnerability has been identified in the Authentik Identity Provider that affects the OAuth2 Device code flow. Due to improper access restriction checks, it is possible for unauthorized users to obtain OAuth tokens and gain access to applications that should be restricted. This vulnerability poses a significant risk to the security of sensitive data and user accounts. Patches have been provided in versions 2024.2.4, 2024.4.3, and 2024.6.0 to address this issue and improve overall application security.

Affected Version(s)

authentik < 2024.6.0 < 2024.6.0

authentik < 2024.4.3 < 2024.4.3

authentik < 2024.2.4 < 2024.2.4

References

https://github.com/goauthentik/authentik/security/advisor...
x_refsource_CONFIRM
https://github.com/goauthentik/authentik/releases/tag/ver...
x_refsource_MISC
https://github.com/goauthentik/authentik/releases/tag/ver...
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.