Summary
Given an OAuth2 provider configured with allowed redirect URIs set to * or .*, an attacker can send an OAuth Authorization request using response_mode=form_post and setting redirect_uri to a malicious URI, to capture authentik's session token.
Patches
authentik 2023.8.6 and 2023.10.6 fix this issue.
Impact
The impact depends on the attack scenario. In the following I will describe the two scenario that were identified for Authentik.
Redirect URI Misconfiguration
While advising that this may cause security issues, Authentik generally allows wildcards as Redirect URI. Therefore, using a wildcard-only effectively allowing arbitrary URLS is possible misconfiguration that may be present in real-world instances.
In such cases, unauthenticated and unprivileged attackers can perform the above described actions.
User with (only) App Administration Permissions
A more likely scenario is an administrative user (e.g. a normal developer) having only permissions to manage applications.
This relatively user could use the described attacks to perform a privilege escalation.
Workaround
It is recommended to upgrade to the patched version of authentik. If not possible, ensure that OAuth2 providers do not use a wildcard (* or .*) value as allowed redirect URI setting. (This is not exploitable if part of the redirect URI has a wildcard, for example https://foo-.*\.bar\.com)
For more information
If you have any questions or comments about this advisory:
lauritzh Reporter
Summary
Given an OAuth2 provider configured with allowed redirect URIs set to
*or.*, an attacker can send an OAuth Authorization request usingresponse_mode=form_postand settingredirect_urito a malicious URI, to capture authentik's session token.Patches
authentik 2023.8.6 and 2023.10.6 fix this issue.
Impact
The impact depends on the attack scenario. In the following I will describe the two scenario that were identified for Authentik.
Redirect URI Misconfiguration
While advising that this may cause security issues, Authentik generally allows wildcards as Redirect URI. Therefore, using a wildcard-only effectively allowing arbitrary URLS is possible misconfiguration that may be present in real-world instances.
In such cases, unauthenticated and unprivileged attackers can perform the above described actions.
User with (only) App Administration Permissions
A more likely scenario is an administrative user (e.g. a normal developer) having only permissions to manage applications.
This relatively user could use the described attacks to perform a privilege escalation.
Workaround
It is recommended to upgrade to the patched version of authentik. If not possible, ensure that OAuth2 providers do not use a wildcard (
*or.*) value as allowed redirect URI setting. (This is not exploitable if part of the redirect URI has a wildcard, for examplehttps://foo-.*\.bar\.com)For more information
If you have any questions or comments about this advisory: