CVE-2023-48228

authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a `code_challenge`. authentik 2023.8.5 and 2023.10.4 fix this issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225	Product
https://github.com/goauthentik/authentik/commit/3af77ab3821fe9c7df8055ba5eade3d1ecea03a6	Patch
https://github.com/goauthentik/authentik/commit/6b9afed21f7c39f171a4a445654cfe415bba37d5	Patch
https://github.com/goauthentik/authentik/commit/b88e39411c12e3f9e04125a7887f12354f760a14	Patch
https://github.com/goauthentik/authentik/pull/7666	Patch
https://github.com/goauthentik/authentik/pull/7668	Patch
https://github.com/goauthentik/authentik/pull/7669	Patch
https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.4	Release Notes
https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.5	Release Notes
https://github.com/goauthentik/authentik/security/advisories/GHSA-fm34-v8xq-f2c3	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:goauthentik:authentik::::::::
	cpe:2.3:a:goauthentik:authentik::::::::

History

No history.

Information

Published : 2023-11-21 21:15

Updated : 2023-11-29 02:35

NVD link : CVE-2023-48228

Mitre link : CVE-2023-48228

CVE.ORG link : CVE-2023-48228

JSON object : View

Products Affected

goauthentik

authentik

CWE

CWE-287

Improper Authentication

{"id": "CVE-2023-48228", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-11-21T21:15:08.477", "references": [{"url": "https://github.com/goauthentik/authentik/blob/dd4e9030b4e667d3720be2feda24c08972602274/authentik/providers/oauth2/views/token.py#L225", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/commit/3af77ab3821fe9c7df8055ba5eade3d1ecea03a6", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/commit/6b9afed21f7c39f171a4a445654cfe415bba37d5", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/commit/b88e39411c12e3f9e04125a7887f12354f760a14", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/pull/7666", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/pull/7668", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/pull/7669", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.4", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.5", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-fm34-v8xq-f2c3", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "authentik is an open-source identity provider. When initialising a oauth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the single sign-on provider (authentik) must check if there is a matching and existing `code_verifier` during the token step. Prior to versions 2023.10.4 and 2023.8.5, authentik checks if the contents of `code_verifier` is matching only when it is provided. When it is left out completely, authentik simply accepts the token request with out it; even when the flow was started with a `code_challenge`. authentik 2023.8.5 and 2023.10.4 fix this issue."}, {"lang": "es", "value": "authentik es un proveedor de identidad de c\u00f3digo abierto. Al inicializar un flujo oauth2 con un `code_challenge` y un `code_method` (solicitando as\u00ed PKCE), el proveedor de inicio de sesi\u00f3n \u00fanico (authentik) debe verificar si hay un `code_verifier` coincidente y existente durante el paso del token. Antes de las versiones 2023.10.4 y 2023.8.5, authentik verifica si el contenido de `code_verifier` coincide solo cuando se proporciona. Cuando se omite por completo, authentik simplemente acepta la solicitud del token sin \u00e9l; incluso cuando el flujo se inici\u00f3 con un \"code_challenge\". authentik 2023.8.5 y 2023.10.4 solucionan este problema."}], "lastModified": "2023-11-29T02:35:26.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EDAD4E86-B0E7-4863-B8B4-D3B85DF1F9B3", "versionEndExcluding": "2023.8.5"}, {"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94DFCEE9-DE60-4890-8F11-D2EFDB0565D5", "versionEndExcluding": "2023.10.4", "versionStartIncluding": "2023.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}