Lucene search

Veracode Vulnerability DatabaseVERACODE:44110

HistoryNov 02, 2023 - 10:32 a.m.

Unauthorised User Account Creation

2023-11-0210:32:45

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

authentik

unauthorized creation

potential account takeover

default flows

unauthenticated users

email password recovery

account hijack

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

Low

EPSS

0.003

Percentile

66.0%

JSON

authentik is vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create a new account. If a flow allows email password recovery, attackers can overwrite the email address of admin accounts and take over the account.

References

github.com/goauthentik/authentik/commit/e1a6dede54eaeda6887ebf11d78251f1db3cb15c

github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

Low

EPSS

0.003

Percentile

66.0%

JSON

Related for VERACODE:44110