CVE-2024-23647

MEDIUM

authentik <2023.8.7 and 2023.10.0-2023.10.7 - PKCE Downgrade Authentication Bypass via Code Challenge Removal

Title source: llm

Description

Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj

Patch x_refsource_misc

https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0054

EPSS Percentile 41.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287

Status published

Products (2)

Go/goauthentik.io 2023.10.0 - 2023.10.7Go

goauthentik/authentik < 2023.8.7

Published Jan 30, 2024

Tracked Since Feb 18, 2026