GO-2024-3160 Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials in github.com/ory/kratos

Ory Kratos's setting requiredaal highestavailable does not properly respect code + mfa credentials in github.com/ory/kratos...

GHSA-WC43-73W7-X2F5 Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials

Preconditions - The code login method is enabled with the passwordlessenabled flag set to true . - A 2FA method such as totp is enabled. - requiredaal of the whomai check or the settings flow is set to highestavailable. AAL stands for Authenticator Assurance Levels and can range from 0 no factor ...

Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials

Preconditions - The code login method is enabled with the passwordlessenabled flag set to true . - A 2FA method such as totp is enabled. - requiredaal of the whomai check or the settings flow is set to highestavailable. AAL stands for Authenticator Assurance Levels and can range from 0 no factor ...

CVE-2024-45042 Ory Kratos's `highest_available` setting does not properly respect code + mfa credentials

Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the highestavailable setting will incorrectly assume that the identity’s highest available AAL is aal1 even though it really is aal2. This means that t...