CVE-2024-47070

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47070
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47070.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-47070
Aliases
  • GHSA-7jxf-mmg9-9hg7
Published
2024-09-27T16:15:05Z
Modified
2024-10-08T04:27:20.046482Z
Summary
[none]
Details

authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. a. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the authentik instance to trust X-Forwarded-For header provided by the attacker, thus it is not reproducible from external hosts on a properly configured environment. The issue occurs due to the password stage having a policy bound to it, which skips the password stage if the Identification stage is setup to also contain a password stage. Due to the invalid X-Forwarded-For header, which does not get validated to be an IP Address early enough, the exception happens later and the policy fails. The default blueprint doesn't correctly set failure_result to True on the policy binding meaning that due to this exception the policy returns false and the password stage is skipped. Versions 2024.8.3 and 2024.6.5 fix this issue.

References

Affected packages

Git / github.com/goauthentik/authentik

Affected ranges

Type
GIT
Repo
https://github.com/goauthentik/authentik
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

version/0.*

version/0.0.10-alpha
version/0.0.11-alpha
version/0.0.12-alpha
version/0.0.13-alpha
version/0.0.2-alpha
version/0.0.3-alpha
version/0.0.4-alpha
version/0.0.5-alpha
version/0.0.6-alpha
version/0.0.7-alpha
version/0.0.8-alpha
version/0.0.9-alpha
version/0.1.0-beta
version/0.1.1-beta
version/0.1.10-beta
version/0.1.11-beta
version/0.1.12-beta
version/0.1.13-beta
version/0.1.14-beta
version/0.1.15-beta
version/0.1.16-beta
version/0.1.17-beta
version/0.1.18-beta
version/0.1.19-beta
version/0.1.2-beta
version/0.1.20-beta
version/0.1.21-beta
version/0.1.22-beta
version/0.1.23-beta
version/0.1.24-beta
version/0.1.25-beta
version/0.1.26-beta
version/0.1.27-beta
version/0.1.28-beta
version/0.1.29-beta
version/0.1.3-beta
version/0.1.30-beta
version/0.1.31-beta
version/0.1.32-beta
version/0.1.33-beta
version/0.1.34-beta
version/0.1.35-beta
version/0.1.36-beta
version/0.1.37-beta
version/0.1.38-beta
version/0.1.4-beta
version/0.1.5-beta
version/0.1.6-beta
version/0.1.7-beta
version/0.1.8-beta
version/0.1.9-beta
version/0.10.0-rc1
version/0.10.0-rc2
version/0.10.0-rc3
version/0.10.0-rc4
version/0.10.0-rc5
version/0.10.0-rc6
version/0.10.0-stable
version/0.10.1-stable
version/0.10.2-stable
version/0.10.3-stable
version/0.10.4-stable
version/0.10.5-stable
version/0.10.6-stable
version/0.10.7-stable
version/0.10.8-stable
version/0.10.9-stable
version/0.11.0-stable
version/0.12.0-stable
version/0.12.1-stable
version/0.12.10-stable
version/0.12.11-stable
version/0.12.2-stable
version/0.12.3-stable
version/0.12.4-stable
version/0.12.5-stable
version/0.12.6-stable
version/0.12.7-stable
version/0.12.8-stable
version/0.12.9-stable
version/0.13.0-rc1
version/0.13.0-rc2
version/0.13.0-rc3
version/0.13.0-rc4
version/0.13.0-stable
version/0.13.1-stable
version/0.13.2-stable
version/0.13.3-stable
version/0.2.0-beta
version/0.2.1-beta
version/0.2.2-beta
version/0.2.3-beta
version/0.2.4-beta
version/0.2.5-beta
version/0.2.6-beta
version/0.2.7-beta
version/0.2.8-beta
version/0.3.0-beta
version/0.4.0-beta
version/0.4.1-beta
version/0.4.2-beta
version/0.5.0-beta
version/0.6.0-beta
version/0.6.1-beta
version/0.6.10-beta
version/0.6.11-beta
version/0.6.2-beta
version/0.6.3-beta
version/0.6.4-beta
version/0.6.5-beta
version/0.6.6-beta
version/0.6.7-beta
version/0.6.8-beta
version/0.6.9-beta
version/0.7.0-beta
version/0.7.1-beta
version/0.7.10-beta
version/0.7.11-beta
version/0.7.12-beta
version/0.7.13-beta
version/0.7.14-beta
version/0.7.15-beta
version/0.7.16-beta
version/0.7.17-beta
version/0.7.2-beta
version/0.7.3-beta
version/0.7.4-beta
version/0.7.5-beta
version/0.7.6-beta
version/0.7.7-beta
version/0.7.8-beta
version/0.7.9-beta
version/0.8.0-beta
version/0.8.1-beta
version/0.8.10-beta
version/0.8.11-beta
version/0.8.12-beta
version/0.8.14-beta
version/0.8.15-beta
version/0.8.2-beta
version/0.8.3-beta
version/0.8.4-beta
version/0.8.5-beta
version/0.8.6-beta
version/0.8.7-beta
version/0.8.8-beta
version/0.8.9-beta
version/0.9.0-pre1
version/0.9.0-pre2
version/0.9.0-pre3
version/0.9.0-pre4
version/0.9.0-pre5
version/0.9.0-pre6
version/0.9.0-pre7
version/0.9.0-rc1
version/0.9.0-rc2
version/0.9.0-stable

version/2021.*

version/2021.1.1-rc1
version/2021.1.1-rc2
version/2021.1.1-stable
version/2021.1.2-stable
version/2021.1.3-stable
version/2021.1.4-stable
version/2021.10.1
version/2021.10.1-rc1
version/2021.10.1-rc2
version/2021.10.1-rc3
version/2021.10.2
version/2021.10.3
version/2021.10.4
version/2021.12.1
version/2021.12.1-rc1
version/2021.12.1-rc2
version/2021.12.1-rc3
version/2021.12.1-rc4
version/2021.12.1-rc5
version/2021.12.2
version/2021.12.3
version/2021.12.4
version/2021.12.5
version/2021.2.1-rc1
version/2021.2.1-rc2
version/2021.2.1-stable
version/2021.2.2-stable
version/2021.2.3-stable
version/2021.2.4-stable
version/2021.2.5-stable
version/2021.2.6-stable
version/2021.3.1
version/2021.3.1-rc1
version/2021.3.1-rc2
version/2021.3.2
version/2021.3.3
version/2021.3.4
version/2021.4.1
version/2021.4.1-rc1
version/2021.4.1-rc2
version/2021.4.2
version/2021.4.3
version/2021.4.4
version/2021.4.5
version/2021.5.1
version/2021.5.1-rc1
version/2021.5.1-rc10
version/2021.5.1-rc2
version/2021.5.1-rc3
version/2021.5.1-rc4
version/2021.5.1-rc5
version/2021.5.1-rc6
version/2021.5.1-rc7
version/2021.5.1-rc8
version/2021.5.1-rc9
version/2021.5.2
version/2021.5.3
version/2021.5.4
version/2021.6.1
version/2021.6.1-rc1
version/2021.6.1-rc2
version/2021.6.1-rc3
version/2021.6.1-rc4
version/2021.6.1-rc5
version/2021.6.1-rc6
version/2021.6.2
version/2021.6.3
version/2021.6.4
version/2021.7.1
version/2021.7.1-rc1
version/2021.7.1-rc2
version/2021.7.2
version/2021.7.3
version/2021.8.1
version/2021.8.1-rc1
version/2021.8.1-rc2
version/2021.8.2
version/2021.8.3
version/2021.8.4
version/2021.9.1
version/2021.9.1-rc1
version/2021.9.1-rc2
version/2021.9.1-rc3
version/2021.9.2
version/2021.9.3
version/2021.9.4
version/2021.9.5
version/2021.9.6
version/2021.9.7
version/2021.9.8

version/2022.*

version/2022.1.1
version/2022.1.2
version/2022.1.3
version/2022.1.4
version/2022.1.5
version/2022.10.0
version/2022.10.1
version/2022.11.0
version/2022.11.1
version/2022.11.2
version/2022.11.3
version/2022.11.4
version/2022.12.0
version/2022.12.1
version/2022.12.2
version/2022.2.1
version/2022.3.1
version/2022.3.2
version/2022.3.3
version/2022.4.1
version/2022.5.1
version/2022.5.2
version/2022.5.3
version/2022.6.1
version/2022.6.2
version/2022.6.3
version/2022.7.1
version/2022.7.2
version/2022.7.3
version/2022.8.1
version/2022.8.2
version/2022.9.0

version/2023.*

version/2023.1.0
version/2023.1.1
version/2023.1.2
version/2023.10.0
version/2023.10.1
version/2023.10.2
version/2023.2.0
version/2023.2.1
version/2023.2.2
version/2023.5.0
version/2023.5.1
version/2023.5.2
version/2023.5.3
version/2023.6.0
version/2023.6.1
version/2023.8.0
version/2023.8.1
version/2023.8.2
version/2023.8.3

version/2024.*

version/2024.6.0
version/2024.6.0-rc1
version/2024.6.0-rc2
version/2024.6.1
version/2024.6.2
version/2024.6.3
version/2024.6.4
version/2024.8.0
version/2024.8.0-rc1
version/2024.8.0-rc2
version/2024.8.1
version/2024.8.2