26 lines
1.0 KiB
Markdown
26 lines
1.0 KiB
Markdown
# CVE-2024-47077
|
|
|
|
_Reported by [@quentinmit](https://github.com/quentinmit)_
|
|
|
|
## Insufficient cross-provider token validation during introspection
|
|
|
|
### Summary
|
|
|
|
Access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access.
|
|
|
|
### Details
|
|
|
|
The proxy provider uses `/application/o/introspect/` to validate bearer tokens provided in the `Authorization` header:
|
|
|
|
The implementation of this endpoint separately validates the `client_id` and `client_secret` (which are that of the proxy provider) and the `token` without validating that they correspond to the same provider.
|
|
|
|
### Patches
|
|
|
|
authentik 2024.6.5 and 2024.8.3 fix this issue.
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
|