CVE-2024-38371

authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patched in version(s) 2024.6.0, 2024.2.4 and 2024.4.3.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4
https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3
https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0
https://github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45

Configurations

No configuration.

History

No history.

Information

Published : 2024-06-28 18:15

Updated : 2024-07-01 12:37

NVD link : CVE-2024-38371

Mitre link : CVE-2024-38371

CVE.ORG link : CVE-2024-38371

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

CWE-285

Improper Authorization

{"id": "CVE-2024-38371", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}]}, "published": "2024-06-28T18:15:04.647", "references": [{"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4", "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3", "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patched in version(s) 2024.6.0, 2024.2.4 and 2024.4.3."}, {"lang": "es", "value": "authentik es un proveedor de identidades de c\u00f3digo abierto. Las restricciones de acceso asignadas a una aplicaci\u00f3n no se verificaron cuando se utiliz\u00f3 el flujo de c\u00f3digo del dispositivo OAuth2. Potencialmente, esto podr\u00eda permitir a los usuarios sin la autorizaci\u00f3n correcta obtener tokens OAuth para una aplicaci\u00f3n y acceder a ella. Este problema se solucion\u00f3 en las versiones 2024.6.0, 2024.2.4 y 2024.4.3."}], "lastModified": "2024-07-01T12:37:24.220", "sourceIdentifier": "security-advisories@github.com"}

8.6 /10