← Volver a CVEs

CVE-2022-46145

HIGH

8.1

Descripcion

authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.

Detalles CVE

Puntuacion CVSS v3.18.1

SeveridadHIGH

Vector CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadHIGH

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado12/2/2022

Ultima modificacion11/21/2024

Fuentenvd

Avistamientos honeypot0

Productos afectados

goauthentik:authentik

Debilidades (CWE)

CWE-287CWE-306

Referencias

https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf(security-advisories@github.com)

https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102(security-advisories@github.com)

https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112(security-advisories@github.com)

https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf(af854a3a-2127-422b-91ae-364da2661108)

https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102(af854a3a-2127-422b-91ae-364da2661108)

https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.