Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-46145: Release 2022.11 | authentik

authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the default-user-settings-flow flow with the contents return request.user.is_authenticated.

CVE
#web#redis#js#kubernetes#oauth#auth#docker

Breaking changes​

  • Have I Been Pwned policy is deprecated

    The policy has been merged with the password policy which provides the same functionality. Existing Have I Been Pwned policies will automatically be migrated.

  • Instead of using multiple redis databases, authentik now uses a single redis database

    This will temporarily loose some cached information after the upgrade, like cached system tasks and policy results. This data will be re-cached in the background.

New features​

  • authentik now runs on Python 3.11

  • Expanded password policy

    The “Have I been Pwned” policy has been merged into the password policy, and additionally passwords can be checked using zxcvbn to provider concise feedback.

Upgrading​

This release does not introduce any new requirements.

docker-compose​

Download the docker-compose file for 2022.11 from here. Afterwards, simply run docker-compose up -d.

Kubernetes​

Update your values to use the new images:

image:    repository: ghcr.io/goauthentik/server    tag: 2022.11.1

Minor changes/fixes​

  • api: fix missing scheme in securitySchemes
  • blueprints: Fixed bug causing blueprint instance context be discarded (#3990)
  • core: fix error when propertymappings return complex value
  • core: simplify group serializer for user API endpoint (#3899)
  • events: deepcopy event kwargs to prevent objects being removed, remove workaround
  • events: sanitize generator for json safety
  • lib: fix complex objects being included in event context for ak_create_event
  • lifecycle: fix incorrect messages looped
  • outposts/kubernetes: ingress class (#4002)
  • policies: only cache policies for authenticated users
  • policies/password: merge hibp add zxcvbn (#4001)
  • providers/oauth2: fix inconsistent expiry encoded in JWT
  • root: make sentry DSN configurable (#4016)
  • root: relicense and launch blog post
  • root: use single redis db (#4009)
  • sources: add custom icon support (#4022)
  • stages/authenticator_*: cleanup
  • stages/authenticator_validate: add flag to configure user_verification for webauthn devices
  • stages/invitation: directly delete invitation now that flow plan is saved in email token
  • web: fix twitter icon
  • web/flows: always hide static user info when its not set in the flow

Fixed in 2022.11.1​

  • blueprints: add desired state attribute to objects (#4061)
  • core: fix tab-complete in shell
  • root: fix build on arm64
  • stages/email: add test for email translation
  • web/admin: fix error when importing duo devices
  • web/admin: reset cookie_domain when setting non-domain forward auth

Fixed in 2022.11.2​

  • *: fix CVE-2022-46145

Fixed in 2022.11.3​

  • web: fix Flow Form failing to load due to outdated API client

API Changes​****What’s Changed​

GET /policies/password/{policy_uuid}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Added property check_static_rules (boolean)

    • Added property check_have_i_been_pwned (boolean)

    • Added property check_zxcvbn (boolean)

    • Added property hibp_allowed_count (integer)

      How many times the password hash is allowed to be on haveibeenpwned

    • Added property zxcvbn_score_threshold (integer)

      If the zxcvbn score is equal or less than this value, the policy will fail.

PUT /policies/password/{policy_uuid}/​****Request:​

Changed content type : application/json

  • Added property check_static_rules (boolean)

  • Added property check_have_i_been_pwned (boolean)

  • Added property check_zxcvbn (boolean)

  • Added property hibp_allowed_count (integer)

    How many times the password hash is allowed to be on haveibeenpwned

  • Added property zxcvbn_score_threshold (integer)

    If the zxcvbn score is equal or less than this value, the policy will fail.

Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Added property check_static_rules (boolean)

    • Added property check_have_i_been_pwned (boolean)

    • Added property check_zxcvbn (boolean)

    • Added property hibp_allowed_count (integer)

      How many times the password hash is allowed to be on haveibeenpwned

    • Added property zxcvbn_score_threshold (integer)

      If the zxcvbn score is equal or less than this value, the policy will fail.

PATCH /policies/password/{policy_uuid}/​****Request:​

Changed content type : application/json

  • Added property check_static_rules (boolean)

  • Added property check_have_i_been_pwned (boolean)

  • Added property check_zxcvbn (boolean)

  • Added property hibp_allowed_count (integer)

    How many times the password hash is allowed to be on haveibeenpwned

  • Added property zxcvbn_score_threshold (integer)

    If the zxcvbn score is equal or less than this value, the policy will fail.

Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Added property check_static_rules (boolean)

    • Added property check_have_i_been_pwned (boolean)

    • Added property check_zxcvbn (boolean)

    • Added property hibp_allowed_count (integer)

      How many times the password hash is allowed to be on haveibeenpwned

    • Added property zxcvbn_score_threshold (integer)

      If the zxcvbn score is equal or less than this value, the policy will fail.

GET /core/tokens/{identifier}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

PUT /core/tokens/{identifier}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

PATCH /core/tokens/{identifier}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

GET /core/users/{id}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property groups_obj (array)

      Changed items (object): > Simplified Group Serializer for user’s groups

      New optional properties:

      • users_obj

      • Deleted property users (array)

      • Deleted property users_obj (array)

PUT /core/users/{id}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property groups_obj (array)

      Changed items (object): > Simplified Group Serializer for user’s groups

      New optional properties:

      • users_obj

      • Deleted property users (array)

      • Deleted property users_obj (array)

PATCH /core/users/{id}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property groups_obj (array)

      Changed items (object): > Simplified Group Serializer for user’s groups

      New optional properties:

      • users_obj

      • Deleted property users (array)

      • Deleted property users_obj (array)

GET /policies/bindings/{policy_binding_uuid}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

PUT /policies/bindings/{policy_binding_uuid}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

PATCH /policies/bindings/{policy_binding_uuid}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

POST /policies/password/​****Request:​

Changed content type : application/json

  • Added property check_static_rules (boolean)

  • Added property check_have_i_been_pwned (boolean)

  • Added property check_zxcvbn (boolean)

  • Added property hibp_allowed_count (integer)

    How many times the password hash is allowed to be on haveibeenpwned

  • Added property zxcvbn_score_threshold (integer)

    If the zxcvbn score is equal or less than this value, the policy will fail.

Return Type:​

Changed response : 201 Created

  • Changed content type : application/json

    • Added property check_static_rules (boolean)

    • Added property check_have_i_been_pwned (boolean)

    • Added property check_zxcvbn (boolean)

    • Added property hibp_allowed_count (integer)

      How many times the password hash is allowed to be on haveibeenpwned

    • Added property zxcvbn_score_threshold (integer)

      If the zxcvbn score is equal or less than this value, the policy will fail.

GET /policies/password/​****Parameters:​

Added: check_have_i_been_pwned in query

Added: check_static_rules in query

Added: check_zxcvbn in query

Added: hibp_allowed_count in query

Added: zxcvbn_score_threshold in query

Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Password Policy Serializer

      • Added property check_static_rules (boolean)

      • Added property check_have_i_been_pwned (boolean)

      • Added property check_zxcvbn (boolean)

      • Added property hibp_allowed_count (integer)

        How many times the password hash is allowed to be on haveibeenpwned

      • Added property zxcvbn_score_threshold (integer)

        If the zxcvbn score is equal or less than this value, the policy will fail.

POST /core/tokens/​****Return Type:​

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

GET /core/tokens/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Token Serializer

      • Changed property user_obj (object)

        User Serializer

        • Changed property groups_obj (array)

          Changed items (object): > Simplified Group Serializer for user’s groups

          New optional properties:

          • users_obj

          • Deleted property users (array)

          • Deleted property users_obj (array)

GET /core/user_consent/{id}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

POST /core/users/​****Return Type:​

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property groups_obj (array)

      Changed items (object): > Simplified Group Serializer for user’s groups

      New optional properties:

      • users_obj

      • Deleted property users (array)

      • Deleted property users_obj (array)

GET /core/users/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

GET /oauth2/refresh_tokens/{id}/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

POST /policies/bindings/​****Return Type:​

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user’s groups

        New optional properties:

        • users_obj

        • Deleted property users (array)

        • Deleted property users_obj (array)

GET /policies/bindings/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > PolicyBinding Serializer

      • Changed property user_obj (object)

        User Serializer

        • Changed property groups_obj (array)

          Changed items (object): > Simplified Group Serializer for user’s groups

          New optional properties:

          • users_obj

          • Deleted property users (array)

          • Deleted property users_obj (array)

GET /core/user_consent/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > UserConsent Serializer

      • Changed property user (object)

        User Serializer

        • Changed property groups_obj (array)

          Changed items (object): > Simplified Group Serializer for user’s groups

          New optional properties:

          • users_obj

          • Deleted property users (array)

          • Deleted property users_obj (array)

GET /oauth2/authorization_codes/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant

      • Changed property user (object)

        User Serializer

        • Changed property groups_obj (array)

          Changed items (object): > Simplified Group Serializer for user’s groups

          New optional properties:

          • users_obj

          • Deleted property users (array)

          • Deleted property users_obj (array)

GET /oauth2/refresh_tokens/​****Return Type:​

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and RefreshToken

      • Changed property user (object)

        User Serializer

        • Changed property groups_obj (array)

          Changed items (object): > Simplified Group Serializer for user’s groups

          New optional properties:

          • users_obj

          • Deleted property users (array)

          • Deleted property users_obj (array)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907