Vulnerability Description
Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Goauthentik | Authentik | < 2023.8.7 |
Related Weaknesses (CWE)
References
- https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8dPatch
- https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqjThird Party Advisory
- https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8dPatch
- https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqjThird Party Advisory
FAQ
What is CVE-2024-23647?
CVE-2024-23647 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge paramete...
How severe is CVE-2024-23647?
CVE-2024-23647 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-23647?
Check the references section above for vendor advisories and patch information. Affected products include: Goauthentik Authentik.