CVE-2021-29456
MEDIUMAuthelia < 4.28.0 - Open Redirect via HTTP Query Parameter
Title source: llmDescription
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain, including potentially malicious sites. This security issue does not directly impact the security of the web application itself. As a workaround, one can use a reverse proxy to strip the query parameter from the affected endpoint. There is a patch for version 4.28.0.
References (1)
Core 1
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/authelia/authelia/security/advisories/GHSA-36f2-fcrx-fp4j
Scores
CVSS v3
5.7
EPSS
0.0051
EPSS Percentile
39.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-601
Status
published
Products (2)
authelia/authelia
< 4.28.0
authelia/authelia
0 - 4.28.0Go
Published
Apr 21, 2021
Tracked Since
Feb 18, 2026