CVE-2022-46145
CVSS V2 None
CVSS V3 None
Description
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.
Overview
- CVE ID
- CVE-2022-46145
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-12-02T18:15:12.790
- Last Modified Date
- 2022-12-06T12:23:25.720
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* | 1 | OR | 2022.10.2 | |
| cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* | 1 | OR | 2022.11 | 2022.11.2 |
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf | Mitigation Third Party Advisory |
| https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102 | Release Notes Vendor Advisory |
| https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112 | Release Notes Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-46145 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46145 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-12-07 18:06:02 | Added to TrackCVE |