← Voltar para CVEs
CVE-2022-46145
HIGH8.1
Descricao
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.
Detalhes CVE
Pontuacao CVSS v3.18.1
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeHIGH
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado12/2/2022
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
goauthentik:authentik
Fraquezas (CWE)
CWE-287CWE-306
Referencias
https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf(security-advisories@github.com)
https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102(security-advisories@github.com)
https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112(security-advisories@github.com)
https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf(af854a3a-2127-422b-91ae-364da2661108)
https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102(af854a3a-2127-422b-91ae-364da2661108)
https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.