Lucene search

K
nvd[email protected]NVD:CVE-2024-38371
HistoryJun 28, 2024 - 6:15 p.m.

CVE-2024-38371

2024-06-2818:15:04
CWE-285
CWE-284
web.nvd.nist.gov
3
authentik
identity provider
oauth2
access restriction
bypass
patch
version
cve-2024-38371

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

0.0004 Low

EPSS

Percentile

15.7%

authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been patched in version(s) 2024.6.0, 2024.2.4 and 2024.4.3.

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

0.0004 Low

EPSS

Percentile

15.7%

Related for NVD:CVE-2024-38371