CVE-2024-42490: GoAuthentik vulnerable to Insufficient Authorization for several API endpoints
(updated )
Several API endpoints can be accessed by users without correct authentication/authorization.
The main API endpoints affected by this:
/api/v3/crypto/certificatekeypairs/<uuid>/view_certificate//api/v3/crypto/certificatekeypairs/<uuid>/view_private_key//api/v3/.../used_by/
Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable.
References
- github.com/advisories/GHSA-qxqc-27pr-wgc8
- github.com/goauthentik/authentik
- github.com/goauthentik/authentik/commit/19318d4c00bb02c4ec3c4f8f15ac2e1dbe8d846c
- github.com/goauthentik/authentik/commit/359b343f51524342a5ca03828e7c975a1d654b11
- github.com/goauthentik/authentik/security/advisories/GHSA-qxqc-27pr-wgc8
- nvd.nist.gov/vuln/detail/CVE-2024-42490
Detect and mitigate CVE-2024-42490 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →