Vulnerability Description
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain, including potentially malicious sites. This security issue does not directly impact the security of the web application itself. As a workaround, one can use a reverse proxy to strip the query parameter from the affected endpoint. There is a patch for version 4.28.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Authelia | Authelia | < 4.28.0 |
Related Weaknesses (CWE)
References
- https://github.com/authelia/authelia/security/advisories/GHSA-36f2-fcrx-fp4jPatchThird Party Advisory
- https://github.com/authelia/authelia/security/advisories/GHSA-36f2-fcrx-fp4jPatchThird Party Advisory
FAQ
What is CVE-2021-29456?
CVE-2021-29456 is a vulnerability with a CVSS score of 5.7 (MEDIUM). Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, ut...
How severe is CVE-2021-29456?
CVE-2021-29456 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-29456?
Check the references section above for vendor advisories and patch information. Affected products include: Authelia Authelia.