CVE-2024-45042

Name of the Vulnerable Software and Affected Versions Ory Kratos versions prior to 1.3.0

Description Ory Kratos is an identity, user management, and authentication system for cloud services. The highest available setting incorrectly assumes the identity's highest available Authenticator Assurance Level (AAL) is aal1 instead of aal2 under certain preconditions. This allows users to call the settings and whoami endpoint without a aal2 session. An attacker would need to steal or guess a valid login OTP of a user with only OTP for login enabled and an incorrect available aal value stored to exploit this issue. Only 0.00066% of registered users on the Ory Network were affected, and most were test users. Their AAL values have been updated, and they are no longer vulnerable.

Recommendations For versions prior to 1.3.0, disable the passwordless code login method if MFA is required. If that is not possible, check the session's aal to identify if the user has aal1 or aal2.