Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in goauthentik.io: CVE-2023-36456 #1893

Closed
GoVulnBot opened this issue Jul 6, 2023 · 3 comments
Closed

x/vulndb: potential Go vuln in goauthentik.io: CVE-2023-36456 #1893

GoVulnBot opened this issue Jul 6, 2023 · 3 comments
Assignees
@jba
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2023-36456 references goauthentik.io, which may be a Go module.

Description:
authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy are susceptible to this. Possible spoofing of IP addresses in logs, downstream applications proxied by (built in) outpost, IP bypassing in custom flows if used.

This poses a possible security risk when someone has flows or policies that check the user's IP address, e.g. when they want to ignore the user's 2 factor authentication when the user is connected to the company network. A second security risk is that the IP addresses in the logfiles and user sessions are not reliable anymore. Anybody can spoof this address and one cannot verify that the user has logged in from the IP address that is in their account's log. A third risk is that this header is passed on to the proxied application behind an outpost. The application may do any kind of verification, logging, blocking or rate limiting based on the IP address, and this IP address can be overridden by anybody that want to.

Versions 2023.4.3 and 2023.5.5 contain a patch for this issue.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: goauthentik.io
      vulnerable_at: 0.0.0-20230706164724-e2bfcf8a6dd7
      packages:
        - package: authentik
description: |-
    authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and
    2023.5.5, authentik does not verify the source of the X-Forwarded-For and
    X-Real-IP headers, both in the Python code and the go code. Only authentik
    setups that are directly accessible by users without a reverse proxy are
    susceptible to this. Possible spoofing of IP addresses in logs, downstream
    applications proxied by (built in) outpost, IP bypassing in custom flows if
    used.

    This poses a possible security risk when someone has flows or policies that
    check the user's IP address, e.g. when they want to ignore the user's 2 factor
    authentication when the user is connected to the company network. A second
    security risk is that the IP addresses in the logfiles and user sessions are not
    reliable anymore. Anybody can spoof this address and one cannot verify that the
    user has logged in from the IP address that is in their account's log. A third
    risk is that this header is passed on to the proxied application behind an
    outpost. The application may do any kind of verification, logging, blocking or
    rate limiting based on the IP address, and this IP address can be overridden by
    anybody that want to.

    Versions 2023.4.3 and 2023.5.5 contain a patch for this issue.
cves:
    - CVE-2023-36456
references:
    - advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-cmxp-jcw7-jjjv
    - fix: https://github.com/goauthentik/authentik/commit/15026748d19d490eb2baf9a9566ead4f805f7dff
    - fix: https://github.com/goauthentik/authentik/commit/c07a48a3eccbd7b23026f72136d3392bbc6f795a
    - web: https://goauthentik.io/docs/releases/2023.4#fixed-in-202343
    - web: https://goauthentik.io/docs/releases/2023.5#fixed-in-202355
@jba jba self-assigned this Jul 7, 2023
@jba jba added NeedsReport excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NeedsReport labels Jul 7, 2023
@jba
Copy link
Contributor

jba commented Jul 7, 2023

Fix to Go code is in an internal package.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/508456 mentions this issue: data/excluded: batch add 14 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Jan 29, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports

@GoVulnBot GoVulnBot mentioned this issue Aug 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jba jba

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @jba @GoVulnBot