CVE-2024-21637

Reported by @lauritzh

XSS in authentik via JavaScript URI as redirect URI and form_post response mode

Summary

Given an OAuth2 provider configured with allowed redirect URIs set to * or .*, an attacker can send an OAuth Authorization request using response_mode=form_post and setting redirect_uri to a malicious URI, to capture authentik's session token.

Patches

authentik 2023.8.6 and 2023.10.6 fix this issue.

Impact

The impact depends on the attack scenario. The following sections describe the two scenarios that were identified for authentik.

Redirect URI misconfiguration

Although authentik advises that this can cause security issues, authentik generally allows wildcards as redirect URIs. Therefore, using only a wildcard and effectively allowing arbitrary URLs is a possible misconfiguration that can be present in real-world instances.

In such cases, unauthenticated and unprivileged attackers can perform the above described actions.

User with (only) App Administration Permissions

A more likely scenario is an administrative user (e.g. a normal developer) having only permissions to manage applications.

This relatively user could use the described attacks to perform a privilege escalation.

Workaround

It is recommended to upgrade to the patched version of authentik. If not possible, ensure that OAuth2 providers do not use a wildcard (* or .*) value as allowed redirect URI setting. (This is not exploitable if part of the redirect URI has a wildcard, for example https://foo-.*\.bar\.com)

For more information

If you have any questions or comments about this advisory:

Email us at security@goauthentik.io

XSS in authentik via JavaScript URI as redirect URI and form_post response mode​

Summary​

Patches​

Impact​

Redirect URI misconfiguration​

User with (only) App Administration Permissions​

Workaround​

For more information​