31 lines
1.5 KiB
Markdown
31 lines
1.5 KiB
Markdown
# CVE-2024-52289
|
|
|
|
_Reported by [@PontusHanssen](https://github.com/PontusHanssen)_
|
|
|
|
## Insecure default configuration for OAuth2 Redirect URIs
|
|
|
|
### Summary
|
|
|
|
Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
|
|
When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either.
|
|
|
|
Given a provider with the Redirect URIs set to `https://foo.example.com`, an attacker can register a domain `fooaexample.com`, and it will correctly pass validation.
|
|
|
|
### Patches
|
|
|
|
authentik 2024.8.5 and 2024.10.3 fix this issue.
|
|
|
|
The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change.
|
|
|
|
Manual action _is required_ if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.
|
|
|
|
### Workarounds
|
|
|
|
When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace `.` with `\.`.
|
|
|
|
### For more information
|
|
|
|
If you have any questions or comments about this advisory:
|
|
|
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
|