28 lines
1.5 KiB
Markdown
28 lines
1.5 KiB
Markdown
# CVE-2024-52287
|
|
|
|
_Reported by [@matt1097](https://github.com/matt1097)_
|
|
|
|
## Insufficient validation of OAuth scopes for client_credentials and device_code grants
|
|
|
|
### Summary
|
|
|
|
When using the `client_credentials` or `device_code` OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik.
|
|
|
|
### Details
|
|
|
|
With the `device_code` grant, it was possible to have a user authorize a set of permitted scopes, and then acquire a token with a different set of scopes, including scopes not configured. This token could potentially be used to send requests to another system which trusts tokens signed by authentik and execute malicious actions on behalf of the user.
|
|
|
|
With the `client_credentials` grant, because there is no user authorization process, authentik would not validate the scopes requested for the token, allowing tokens to be issued with scopes not configured in authentik. These could similarly be used to execute malicious actions in other systems.
|
|
|
|
There is no workaround for this issue; however this issue could only be exploited if an attacker possesses a valid set of OAuth2 `client_id` and `client_secret` credentials, and has the knowledge of another system that trusts tokens issued by authentik and what scopes it checks for.
|
|
|
|
### Patches
|
|
|
|
authentik 2024.8.5 and 2024.10.3 fix this issue.
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
|