CVE-2023-36456

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2023.4.3 and 2023.5.5

Description The issue concerns the lack of verification of the source of the X-Forwarded-For and X-Real-IP headers in authentik, an open-source Identity Provider. This poses a security risk when flows or policies check the user's IP address, such as ignoring 2-factor authentication when connected to a company network. Additionally, IP addresses in logfiles and user sessions become unreliable, and anybody can spoof this address. The header is also passed on to proxied applications behind an outpost, allowing for potential verification, logging, blocking, or rate limiting based on the IP address to be overridden.

Recommendations For versions prior to 2023.4.3, update to version 2023.4.3 or later to resolve the issue. For versions prior to 2023.5.5, update to version 2023.5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the X-Forwarded-For and X-Real-IP headers until a patch is applied.