CVE-2024-42490

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2024.4.4 authentik versions 2024.6.0-rc1 through 2024.6.3 authentik versions prior to 2024.8.0

Description The issue concerns an open-source Identity Provider where several API endpoints can be accessed by users without correct authentication or authorization. The main affected API endpoints are "/api/v3/crypto/certificatekeypairs//view certificate/", "/api/v3/crypto/certificatekeypairs//view private key/", and "/api/v3/.../used by/". These endpoints require knowledge of an object's ID, which is not easily accessible to unprivileged users, especially for certificates, and the IDs are mostly UUIDv4, making them not easily guessable or enumerable.

Recommendations For versions prior to 2024.4.4, update to version 2024.4.4 or later. For versions 2024.6.0-rc1 through 2024.6.3, update to version 2024.6.4 or later. For versions prior to 2024.8.0, update to version 2024.8.0 or later. As a temporary workaround, consider blocking access to the affected API endpoints at a Reverse-proxy/Load balancer level to prevent exploitation.