Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2023-36456

Disclosure Date: July 06, 2023 •

CVE-2023-36456 CVSS v3 Base Score: 7.3

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy are susceptible to this. Possible spoofing of IP addresses in logs, downstream applications proxied by (built in) outpost, IP bypassing in custom flows if used.

This poses a possible security risk when someone has flows or policies that check the user’s IP address, e.g. when they want to ignore the user’s 2 factor authentication when the user is connected to the company network. A second security risk is that the IP addresses in the logfiles and user sessions are not reliable anymore. Anybody can spoof this address and one cannot verify that the user has logged in from the IP address that is in their account’s log. A third risk is that this header is passed on to the proxied application behind an outpost. The application may do any kind of verification, logging, blocking or rate limiting based on the IP address, and this IP address can be overridden by anybody that want to.

Versions 2023.4.3 and 2023.5.5 contain a patch for this issue.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.3 High

Impact Score:

3.4

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

Low

Integrity (I):

Low

Availability (A):

Low

Vendors

goauthentik

Products

authentik

References

Canonical

CVE-2023-36456 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36456)

Miscellaneous

https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv

https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff

https://github.com/goauthentik/authentik/commit/c07a48a3eccbd7b23026f72136d3392bbc6f795a

https://goauthentik.io/docs/releases/2023.4#fixed-in-202343

https://goauthentik.io/docs/releases/2023.5#fixed-in-202355

Rapid7

Unknown

CVE-2023-36456

Unknown

Unknown

None

None

Network

CVE-2023-36456

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2023-36456

Unknown

Unknown

None

None

Network

CVE-2023-36456

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification