2 matches found
Improper Authentication
github.com/ory/kratos is vulnerable to an Improper Authentication. The vulnerability is due to an incorrect assumption of the highest available Authentication Assurance Level AAL as aal1 instead of aal2, allowing users to access endpoints without the required aal2 session under certain...
CVE-2024-45042 Ory Kratos's `highest_available` setting does not properly respect code + mfa credentials
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the highestavailable setting will incorrectly assume that the identity’s highest available AAL is aal1 even though it really is aal2. This means that t...