1.5 KiB
CVE-2024-52287
Reported by @matt1097
Insufficient validation of OAuth scopes for client_credentials and device_code grants
Summary
When using the client_credentials
or device_code
OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik.
Details
With the device_code
grant, it was possible to have a user authorize a set of permitted scopes, and then acquire a token with a different set of scopes, including scopes not configured. This token could potentially be used to send requests to another system which trusts tokens signed by authentik and execute malicious actions on behalf of the user.
With the client_credentials
grant, because there is no user authorization process, authentik would not validate the scopes requested for the token, allowing tokens to be issued with scopes not configured in authentik. These could similarly be used to execute malicious actions in other systems.
There is no workaround for this issue; however this issue could only be exploited if an attacker possesses a valid set of OAuth2 client_id
and client_secret
credentials, and has the knowledge of another system that trusts tokens issued by authentik and what scopes it checks for.
Patches
authentik 2024.8.5 and 2024.10.3 fix this issue.
For more information
If you have any questions or comments about this advisory:
- Email us at security@goauthentik.io