Plattform
go
Komponente
authentik
Behoben in
2024.8.1
2024.6.6
CVE-2024-47070 describes an authentication bypass vulnerability affecting authentik versions 2024.6.0 through 2024.8.2. This flaw allows attackers to circumvent password login mechanisms by crafting a malicious X-Forwarded-For header, potentially granting unauthorized access to user accounts. A fix is available in version 2024.8.3.
The impact of CVE-2024-47070 is significant, as it enables unauthorized access to user accounts within the authentik identity provider. An attacker can bypass the standard password authentication process by injecting a specially crafted X-Forwarded-For header containing an invalid IP address (e.g., 'a'). This bypass is contingent on the authentik instance trusting the X-Forwarded-For header, which is typically only the case in environments behind a reverse proxy or load balancer. Successful exploitation could lead to data breaches, privilege escalation, and compromise of sensitive information managed by authentik.
CVE-2024-47070 was publicly disclosed on 2024-09-27. The vulnerability requires the authentik instance to trust the X-Forwarded-For header, limiting exploitation to environments behind a reverse proxy. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation makes it a potential target for opportunistic attackers. The CVSS score of 9.1 (CRITICAL) reflects the severity of the vulnerability.
Organizations utilizing authentik as an identity provider, particularly those deployed behind reverse proxies or load balancers, are at risk. Environments where the X-Forwarded-For header is trusted without proper validation are especially vulnerable. Shared hosting environments using authentik are also at increased risk due to potential header manipulation.
• linux / server:
journalctl -u authentik | grep -i "X-Forwarded-For"• generic web:
curl -I <authentik_url> | grep X-Forwarded-For• generic web:
Inspect access logs for requests containing unusual or malformed X-Forwarded-For headers.
disclosure
Exploit-Status
EPSS
0.14% (34% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-47070 is to upgrade authentik to version 2024.8.3 or later, which contains the fix for this vulnerability. If immediate upgrading is not feasible, consider implementing stricter validation of the X-Forwarded-For header at the reverse proxy or load balancer level. This can involve whitelisting trusted IP addresses or rejecting requests with malformed or unexpected header values. Additionally, review your authentik configuration to ensure that the X-Forwarded-For header is not being trusted unnecessarily. After upgrading, confirm the fix by attempting a login with a crafted X-Forwarded-For header; the login should be rejected.
Actualice authentik a la versión 2024.8.3 o posterior. Alternativamente, actualice a la versión 2024.6.5 o posterior. Esto corrige la vulnerabilidad de omisión de autenticación mediante la cabecera HTTP X-Forwarded-For.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-47070 is a critical vulnerability in authentik versions 2024.6.0–2024.8.2 that allows attackers to bypass password login by manipulating the X-Forwarded-For header, potentially gaining unauthorized access to user accounts.
You are affected if you are running authentik versions 2024.6.0 through 2024.8.2 and your authentik instance trusts the X-Forwarded-For header provided by the attacker.
Upgrade authentik to version 2024.8.3 or later. If immediate upgrading is not possible, implement stricter validation of the X-Forwarded-For header at the reverse proxy level.
While no public exploits are currently known, the ease of exploitation makes it a potential target for opportunistic attackers.
Refer to the authentik security advisory: https://github.com/authentikapp/authentik/security/advisories/GHSA-9864-x49p-643r
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.