CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
AI Score
Confidence
Low
github.com/goauthentik/authentik is vulnerable to Improper Access Control. The vulnerability is due to access restrictions not being properly checked in the OAuth2 Device code flow, allowing users without correct authorization to obtain OAuth tokens and potentially access applications.
github.com/goauthentik/authentik/pull/10233/commits/d6d79f2d39aed9d8af4813419ef87492d8b821cc
github.com/goauthentik/authentik/pull/10234/commits/6607464964cb86936b8c72a489abfbe146c15e81
github.com/goauthentik/authentik/pull/10235/commits/c9c6a73257808baf972f2a8a088d8a0b82b29d9f
github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4
github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3
github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0
github.com/goauthentik/authentik/security/advisories/GHSA-jq3m-37m7-gp45