Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
authentik vulnerable to unauthorized user creation and potential account takeover
Vulnerability Description
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
认证机制不恰当
Vulnerability Title
authentik 访问控制错误漏洞
Vulnerability Description
authentik是authentik开源的一个开源身份提供应用程序。 authentik 2022.11.2和2022.10.2之前的版本存在访问控制错误漏洞,该漏洞源于未经身份验证的用户可以使用默认流在authentik中创建新帐户。
CVSS Information
N/A
Vulnerability Type
N/A