CVE-2024-23647

Name of the Vulnerable Software and Affected Versions Authentik versions prior to 2023.8.7 Authentik versions prior to 2023.10.7

Description Authentik is an open-source Identity Provider with a bug in its implementation of PKCE, allowing an attacker to circumvent the protection that PKCE offers. PKCE adds the code challenge parameter to the authorization request and the code verifier parameter to the token request. Prior to versions 2023.8.7 and 2023.10.7, a downgrade scenario is possible if the attacker removes the code challenge parameter from the authorization request, allowing authentik to not perform the PKCE check. This bug enables an attacker to perform code injection attacks and CSRF attacks.

Recommendations For versions prior to 2023.8.7, update to version 2023.8.7 or later. For versions prior to 2023.10.7, update to version 2023.10.7 or later. As a temporary workaround, consider restricting access to the authorization request endpoint to minimize the risk of exploitation. Avoid using the code challenge parameter in the authorization request until the issue is resolved.