Veracode Vulnerability DatabaseVERACODE:44108Account Takeover
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
40.6%
authentik is vulnerable to potential account takeover. authentik uses a blueprint to create default admin user, which also optionally sets an admin password from environment variable. When the default admin is deleted, it is possible for an attacker to set the password for admin user without authentication.
References
github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0
github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc
github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2
github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4
github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62w
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
40.6%