9.0
CRITICAL
CVE-2024-47070
Authentik X-Forwarded-For Header Bypass Vulnerability
Description

authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. `a`. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the authentik instance to trust X-Forwarded-For header provided by the attacker, thus it is not reproducible from external hosts on a properly configured environment. The issue occurs due to the password stage having a policy bound to it, which skips the password stage if the Identification stage is setup to also contain a password stage. Due to the invalid X-Forwarded-For header, which does not get validated to be an IP Address early enough, the exception happens later and the policy fails. The default blueprint doesn't correctly set `failure_result` to `True` on the policy binding meaning that due to this exception the policy returns false and the password stage is skipped. Versions 2024.8.3 and 2024.6.5 fix this issue.

INFO

Published Date :

Sept. 27, 2024, 4:15 p.m.

Last Modified :

Sept. 30, 2024, 12:45 p.m.

Remotely Exploitable :

Yes !

Impact Score :

6.0

Exploitability Score :

2.2
Affected Products

The following products are affected by CVE-2024-47070 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Goauthentik authentik
References to Advisories, Solutions, and Tools

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-47070 vulnerability anywhere in the article.

  • Cybersecurity News
Fortinet Warns of Actively Exploited Flaw in FortiManager: CVE-2024-47575 (CVSS 9.8)

Fortinet has issued a security advisory for its FortiManager platform, addressing a critical vulnerability—CVE-2024-47575—which has been actively exploited in the wild. This vulnerability, rated at CV ... Read more

Published Date: Oct 23, 2024 (1 month, 1 week ago)
  • Cybersecurity News
CVE-2024-43240 & CVE-2024-43242 in Ultimate Membership Pro Plugin Put 40,000 Websites at Risk

The Ultimate Membership Pro plugin, a premium WordPress plugin widely used for managing membership subscriptions, has been found to contain two critical vulnerabilities, according to a report from Raf ... Read more

Published Date: Oct 17, 2024 (1 month, 2 weeks ago)
  • Cybersecurity News
Apache CloudStack Patches Critical Security Flaws in Latest Release

The Apache CloudStack project has announced the release of LTS security releases 4.18.2.4 and 4.19.1.2 to address four security vulnerabilities, including two rated as “Important.” CloudStack is a pop ... Read more

Published Date: Oct 17, 2024 (1 month, 2 weeks ago)
  • Cybersecurity News
CISA Warns of Critical Flaws in TEM Opera Plus FM Transmitter Products Used in Critical Infrastructure

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding two critical vulnerabilities in the TEM Opera Plus FM Family Transmitter products, widely used in crit ... Read more

Published Date: Oct 04, 2024 (2 months ago)
  • Cybersecurity News
Authd Vulnerability (CVE-2024-9313) Allows User Impersonation on Ubuntu Systems

A high-severity vulnerability, CVE-2024-9313 ((CVSS 8.8)), has been discovered in Authd, an authentication daemon used for secure identity and access management in Ubuntu machines. This flaw could all ... Read more

Published Date: Oct 04, 2024 (2 months ago)
  • Cybersecurity News
CVE-2024-47070: Critical Flaw in authentik Identity Provider Allows Authentication Bypass

A critical security vulnerability (CVE-2024-47070) has been discovered in the popular Identity Provider (IdP) and Single Sign-On (SSO) solution, authentik. Rated with a high CVSS score of 9.1, this fl ... Read more

Published Date: Oct 02, 2024 (2 months ago)

The following table lists the changes that have been made to the CVE-2024-47070 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Received by [email protected]

    Sep. 27, 2024

    Action Type Old Value New Value
    Added Description authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. `a`. This results in a possibility of logging into any account with a known login or email address. The vulnerability requires the authentik instance to trust X-Forwarded-For header provided by the attacker, thus it is not reproducible from external hosts on a properly configured environment. The issue occurs due to the password stage having a policy bound to it, which skips the password stage if the Identification stage is setup to also contain a password stage. Due to the invalid X-Forwarded-For header, which does not get validated to be an IP Address early enough, the exception happens later and the policy fails. The default blueprint doesn't correctly set `failure_result` to `True` on the policy binding meaning that due to this exception the policy returns false and the password stage is skipped. Versions 2024.8.3 and 2024.6.5 fix this issue.
    Added Reference GitHub, Inc. https://github.com/goauthentik/authentik/security/advisories/GHSA-7jxf-mmg9-9hg7 [No types assigned]
    Added Reference GitHub, Inc. https://github.com/goauthentik/authentik/commit/78f7b04d5a62b2a9d4316282a713c2c7857dbe29 [No types assigned]
    Added Reference GitHub, Inc. https://github.com/goauthentik/authentik/commit/dd8f809161e738b25765797eb2a5c77a7d3fc2cf [No types assigned]
    Added CWE GitHub, Inc. CWE-287
    Added CVSS V3.1 GitHub, Inc. AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-47070 is associated with the following CWEs:

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability