無料スキャン
CRITICALCVE-2021-32637CVSS 10

Authelia vulnerable to an authentication bypassed with malformed request URI on nginx

翻訳中…

プラットフォーム

go

コンポーネント

github.com/authelia/authelia/v4

修正版

4.0.1

4.29.3

AI Confidence: highNVDEPSS 0.5%レビュー済み: 2026年5月
NVDで見る
保存
あなたの言語に翻訳中…

CVE-2021-32637 describes a critical authentication bypass vulnerability within Authelia v4, specifically when integrated with nginx's ngxhttpauthrequestmodule. An attacker can craft malicious HTTP requests to circumvent the authentication process, gaining unauthorized access. This vulnerability impacts versions prior to v4.29.3, and a patch is available for backporting to earlier versions.

Go

このCVEがあなたのプロジェクトに影響するか確認

go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。

go.mod をアップロード

影響と攻撃シナリオ翻訳中…

The primary impact of CVE-2021-32637 lies in the potential for unauthorized access. Attackers can bypass Authelia's authentication mechanism by manipulating HTTP requests, effectively gaining access to protected resources without proper credentials. This could lead to data breaches, account compromise, and potential system takeover. The vulnerability's reliance on the ngxhttpauthrequestmodule means that environments using this configuration are particularly at risk. While the description notes potential impact on other proxy servers, the focus is on nginx due to its widespread support and use with Authelia.

悪用の状況翻訳中…

CVE-2021-32637 was publicly disclosed on December 20, 2021. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and relatively straightforward exploitation path make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not widely available, but the vulnerability's nature suggests that it could be easily demonstrated.

リスク対象者翻訳中…

Organizations utilizing Authelia v4 in conjunction with nginx's ngxhttpauthrequestmodule are at risk. This includes environments relying on Authelia for single sign-on (SSO) or multi-factor authentication (MFA) for web applications. Shared hosting environments where nginx configuration is managed by the hosting provider are also potentially vulnerable, as they may be using the affected configuration without explicit awareness.

検出手順翻訳中…

• linux / server: Monitor nginx access logs for unusual HTTP request patterns, particularly those containing malformed URI paths. Use journalctl -u nginx to check for errors related to authentication requests.

 grep -i 'auth_request' /var/log/nginx/access.log | grep -i 'malformed'

• generic web: Use curl to test authentication endpoints with crafted requests containing unusual characters or URI structures. Examine response headers for unexpected behavior.

curl -v --url 'https://your-authelia-protected-site/some-protected-resource?param=';

攻撃タイムライン

  1. Disclosure

    disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

EPSS

0.46% (64% パーセンタイル)

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H10.0CRITICALAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredNone攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeChanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityHighサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
なし — 認証不要。資格情報なしで悪用可能。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化あり — 攻撃が脆弱なコンポーネントを超えて他のシステムに波及可能。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。

影響を受けるソフトウェア

コンポーネントgithub.com/authelia/authelia/v4
ベンダーosv
影響範囲修正版
>= 4.0.0-alpha1, < 4.29.3 – >= 4.0.0-alpha1, < 4.29.34.0.1
4.0.0-alpha14.29.3

弱点分類 (CWE)

CWE-287

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日
  4. EPSS 更新日

緩和策と回避策翻訳中…

The recommended mitigation for CVE-2021-32637 is to upgrade Authelia to version 4.29.3 or later. This version includes a direct fix for the vulnerability. If upgrading is not immediately feasible, the Authelia team provides a git patch for version 4.25.1 that can be applied as a temporary workaround. Carefully review the patch instructions and test thoroughly in a non-production environment before deploying to production. Consider implementing stricter input validation on the nginx side to further reduce the attack surface. After upgrade, confirm authentication bypass protection by attempting to access protected resources with crafted HTTP requests.

修正方法翻訳中…

Actualice Authelia a la versión 4.29.3 o superior. Como alternativa, aplique el parche proporcionado o agregue un bloqueo para solicitudes con URI malformados en la configuración del proxy inverso.

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2021-32637 — Authentication Bypass in Authelia v4?

CVE-2021-32637 is a critical vulnerability in Authelia v4 that allows attackers to bypass authentication when using nginx's ngxhttpauthrequestmodule through crafted HTTP requests.

Am I affected by CVE-2021-32637 in Authelia v4?

You are affected if you are using Authelia v4 with nginx's ngxhttpauthrequestmodule and have not upgraded to version 4.29.3 or applied the backport patch.

How do I fix CVE-2021-32637 in Authelia v4?

Upgrade Authelia to version 4.29.3 or apply the provided git patch for version 4.25.1. Test thoroughly after applying the fix.

Is CVE-2021-32637 being actively exploited?

While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation make it a potential target.

Where can I find the official Authelia advisory for CVE-2021-32637?

Refer to the official Authelia security advisory on their website or GitHub repository for detailed information and updates: https://github.com/authelia/authelia/security/advisories/GHSA-839w-5795-643x

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索