CVE-2024-52307

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2024.8.5 authentik version 2024.10.3

Description The issue is related to the usage of a non-constant time comparison for the "/-/metrics/" endpoint, which made it possible to brute-force the SECRET KEY used to authenticate the endpoint. This endpoint returns Prometheus metrics and is not intended to be accessed directly. It is meant to be accessed by the Go proxy running in the authentik server container, which serves the data on a separate port. Since the endpoint is not intended to be accessed publicly, requests to it can be blocked by the reverse proxy/load balancer used with authentik.

Recommendations For versions prior to 2024.8.5, update to version 2024.8.5 or later to fix the issue. For version 2024.10.3, this version fixes the issue, so no further action is required for this specific version. As a temporary workaround, consider blocking requests to the "/-/metrics/" endpoint by configuring the reverse proxy/load balancer to minimize the risk of exploitation.