CVE-2024-38371

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2024.2.4 authentik versions prior to 2024.4.3 authentik versions prior to 2024.6.0

Description The issue concerns an open-source Identity Provider where access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it.

Recommendations For versions prior to 2024.2.4, update to version 2024.2.4 or later. For versions prior to 2024.4.3, update to version 2024.4.3 or later. For versions prior to 2024.6.0, update to version 2024.6.0 or later.

Exploit

Fix

Improper Access Control

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-285

Related Identifiers

BIT-AUTHENTIK-2024-38371

CVE-2024-38371

GHSA-JQ3M-37M7-GP45

Affected Products

Authentik

CVE-2024-38371

Weakness Enumeration

Related Identifiers

Affected Products

References · 9