Under very specific conditions changes to a users groups may not have the expected results.
The specific conditions are:
When these conditions are met administrators may find the changes are not taken into account by access control for longer than expected periods. While this may not necessarily be a security vulnerability itβs security-adjacent and because of the unexpected nature of it and our dedication to a security-first culture we feel itβs important to make users aware of this behaviour utilizing a security advisory and the existence of a fix.
This:
This behaviour was identified after it was inadvertently fixed in the master
branch during the multi-cookie domain rework (i.e. between feature releases). A patch for prior versions can be provided upon request. The fix was to ensure the details are updated regardless of backend, it was a small oversight in previous functionality which made refreshing ineffectual prior to v4.37.0.
Ensure you restart between user database changes.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/authelia/authelia/v4 | lt | 4.38.0 |