CVE-2024-23647

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-23647
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-23647.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-23647
Aliases
Related
Published
2024-01-30T17:15:10Z
Modified
2025-01-08T02:47:20Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the codechallenge parameter to the authorization request and adds the codeverifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue.

References

Affected packages

Git / github.com/goauthentik/authentik

Affected ranges

Type
GIT
Repo
https://github.com/goauthentik/authentik
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed