Authelia vulnerável a uma autenticação ignorada com URI de requisição malformado no nginx
Plataforma
go
Componente
github.com/authelia/authelia/v4
Corrigido em
4.0.1
4.29.3
CVE-2021-32637 describes a critical authentication bypass vulnerability within Authelia v4, specifically when integrated with nginx's ngxhttpauthrequestmodule. An attacker can craft malicious HTTP requests to circumvent the authentication process, gaining unauthorized access. This vulnerability impacts versions prior to v4.29.3, and a patch is available for backporting to earlier versions.
Detecte esta CVE no seu projeto
Envie seu arquivo go.mod e descubra na hora se você está afetado.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of CVE-2021-32637 lies in the potential for unauthorized access. Attackers can bypass Authelia's authentication mechanism by manipulating HTTP requests, effectively gaining access to protected resources without proper credentials. This could lead to data breaches, account compromise, and potential system takeover. The vulnerability's reliance on the ngxhttpauthrequestmodule means that environments using this configuration are particularly at risk. While the description notes potential impact on other proxy servers, the focus is on nginx due to its widespread support and use with Authelia.
Contexto de Exploraçãotraduzindo…
CVE-2021-32637 was publicly disclosed on December 20, 2021. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and relatively straightforward exploitation path make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not widely available, but the vulnerability's nature suggests that it could be easily demonstrated.
Quem Está em Riscotraduzindo…
Organizations utilizing Authelia v4 in conjunction with nginx's ngxhttpauthrequestmodule are at risk. This includes environments relying on Authelia for single sign-on (SSO) or multi-factor authentication (MFA) for web applications. Shared hosting environments where nginx configuration is managed by the hosting provider are also potentially vulnerable, as they may be using the affected configuration without explicit awareness.
Passos de Detecçãotraduzindo…
• linux / server: Monitor nginx access logs for unusual HTTP request patterns, particularly those containing malformed URI paths. Use journalctl -u nginx to check for errors related to authentication requests.
grep -i 'auth_request' /var/log/nginx/access.log | grep -i 'malformed'• generic web: Use curl to test authentication endpoints with crafted requests containing unusual characters or URI structures. Examine response headers for unexpected behavior.
curl -v --url 'https://your-authelia-protected-site/some-protected-resource?param=';Linha do Tempo do Ataque
- Disclosure
disclosure
Inteligência de Ameaças
Status do Exploit
EPSS
0.46% (percentil 64%)
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Alto — o atacante pode escrever, modificar ou excluir qualquer dado.
- Availability
- Alto — falha completa ou esgotamento de recursos. Negação de serviço total.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The recommended mitigation for CVE-2021-32637 is to upgrade Authelia to version 4.29.3 or later. This version includes a direct fix for the vulnerability. If upgrading is not immediately feasible, the Authelia team provides a git patch for version 4.25.1 that can be applied as a temporary workaround. Carefully review the patch instructions and test thoroughly in a non-production environment before deploying to production. Consider implementing stricter input validation on the nginx side to further reduce the attack surface. After upgrade, confirm authentication bypass protection by attempting to access protected resources with crafted HTTP requests.
Como corrigir
Atualize Authelia para a versão 4.29.3 ou superior. Alternativamente, aplique o patch fornecido ou adicione um bloqueio para requisições com URI malformados na configuração do proxy reverso.
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2021-32637 — Authentication Bypass in Authelia v4?
CVE-2021-32637 is a critical vulnerability in Authelia v4 that allows attackers to bypass authentication when using nginx's ngxhttpauthrequestmodule through crafted HTTP requests.
Am I affected by CVE-2021-32637 in Authelia v4?
You are affected if you are using Authelia v4 with nginx's ngxhttpauthrequestmodule and have not upgraded to version 4.29.3 or applied the backport patch.
How do I fix CVE-2021-32637 in Authelia v4?
Upgrade Authelia to version 4.29.3 or apply the provided git patch for version 4.25.1. Test thoroughly after applying the fix.
Is CVE-2021-32637 being actively exploited?
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation make it a potential target.
Where can I find the official Authelia advisory for CVE-2021-32637?
Refer to the official Authelia security advisory on their website or GitHub repository for detailed information and updates: https://github.com/authelia/authelia/security/advisories/GHSA-839w-5795-643x
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.