QwikSec

Security Database

CVE

CWE

Training

CVE-2024-52287

Published: Nov 21, 2024

Modified: Nov 21, 2024

PUBLISHED

Description

authentik is an open-source identity provider. When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik. authentik 2024.8.5 and 2024.10.3 fix this issue.

Vendor	Product	Versions
goauthentik	authentik	affected `< 2024.8.5` affected `>= 2024.10.0-rc1, < 2024.10.3`

Weaknesses (CWE)

References

https://github.com/goauthentik/authentik/security/advisories/GHSA-v6m7-8j37-8f4v

x_refsource_CONFIRM

https://github.com/goauthentik/authentik/commit/e9c29e1644e9199b4ba58d2b10eb8c322138eea2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.