CVE-2024-45042 Ory Kratos's `highest_available` setting does not properly respect code + mfa credentials

Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the highestavailable setting will incorrectly assume that the identity’s highest available AAL is aal1 even though it really is aal2. This means that t...