Platform
go
Component
github.com/authelia/authelia/v4
Fixed in
4.0.1
4.29.3
CVE-2021-32637 describes a critical authentication bypass vulnerability within Authelia v4, specifically when integrated with nginx's ngxhttpauthrequestmodule. An attacker can craft malicious HTTP requests to circumvent the authentication process, gaining unauthorized access. This vulnerability impacts versions prior to v4.29.3, and a patch is available for backporting to earlier versions.
The primary impact of CVE-2021-32637 lies in the potential for unauthorized access. Attackers can bypass Authelia's authentication mechanism by manipulating HTTP requests, effectively gaining access to protected resources without proper credentials. This could lead to data breaches, account compromise, and potential system takeover. The vulnerability's reliance on the ngxhttpauthrequestmodule means that environments using this configuration are particularly at risk. While the description notes potential impact on other proxy servers, the focus is on nginx due to its widespread support and use with Authelia.
CVE-2021-32637 was publicly disclosed on December 20, 2021. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and relatively straightforward exploitation path make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not widely available, but the vulnerability's nature suggests that it could be easily demonstrated.
Exploit Status
EPSS
0.46% (64% percentile)
CVSS Vector
The recommended mitigation for CVE-2021-32637 is to upgrade Authelia to version 4.29.3 or later. This version includes a direct fix for the vulnerability. If upgrading is not immediately feasible, the Authelia team provides a git patch for version 4.25.1 that can be applied as a temporary workaround. Carefully review the patch instructions and test thoroughly in a non-production environment before deploying to production. Consider implementing stricter input validation on the nginx side to further reduce the attack surface. After upgrade, confirm authentication bypass protection by attempting to access protected resources with crafted HTTP requests.
Update Authelia to version 4.29.3 or higher. Alternatively, apply the provided patch or add a block for requests with malformed URIs in the reverse proxy configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-32637 is a critical vulnerability in Authelia v4 that allows attackers to bypass authentication when using nginx's ngxhttpauthrequestmodule through crafted HTTP requests.
You are affected if you are using Authelia v4 with nginx's ngxhttpauthrequestmodule and have not upgraded to version 4.29.3 or applied the backport patch.
Upgrade Authelia to version 4.29.3 or apply the provided git patch for version 4.25.1. Test thoroughly after applying the fix.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the official Authelia security advisory on their website or GitHub repository for detailed information and updates: https://github.com/authelia/authelia/security/advisories/GHSA-839w-5795-643x
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.