authentik/website/docs/security/CVE-2024-21637.md

# CVE-2024-21637

_Reported by [@lauritzh](https://github.com/lauritzh)_

## XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode

### Summary

Given an OAuth2 provider configured with allowed redirect URIs set to `*` or `.*`, an attacker can send an OAuth Authorization request using `response_mode=form_post` and setting `redirect_uri` to a malicious URI, to capture authentik's session token.

### Patches

authentik 2023.8.6 and 2023.10.6 fix this issue.

### Impact

The impact depends on the attack scenario. In the following I will describe the two scenario that were identified for Authentik.

#### Redirect URI Misconfiguration

While advising that this may cause security issues, Authentik generally allows wildcards as Redirect URI. Therefore, using a wildcard-only effectively allowing arbitrary URLS is possible misconfiguration that may be present in real-world instances.

In such cases, unauthenticated and unprivileged attackers can perform the above described actions.

### User with (only) App Administration Permissions

A more likely scenario is an administrative user (e.g. a normal developer) having only permissions to manage applications.

This relatively user could use the described attacks to perform a privilege escalation.

### Workaround

It is recommended to upgrade to the patched version of authentik. If not possible, ensure that OAuth2 providers do not use a wildcard (`*` or `.*`) value as allowed redirect URI setting. (This is _not_ exploitable if part of the redirect URI has a wildcard, for example `https://foo-.*\.bar\.com`)

### For more information

If you have any questions or comments about this advisory:

-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
providers/oauth2: fix CVE-2024-21637 (#8104) Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2024-01-09 17:14:12 +00:00			`# CVE-2024-21637`

			`_Reported by [@lauritzh](https://github.com/lauritzh)_`

			`## XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode`

			`### Summary`

			Given an OAuth2 provider configured with allowed redirect URIs set to `` or `.`, an attacker can send an OAuth Authorization request using `response_mode=form_post` and setting `redirect_uri` to a malicious URI, to capture authentik's session token.

			`### Patches`

			`authentik 2023.8.6 and 2023.10.6 fix this issue.`

			`### Impact`

			`The impact depends on the attack scenario. In the following I will describe the two scenario that were identified for Authentik.`

			`#### Redirect URI Misconfiguration`

			`While advising that this may cause security issues, Authentik generally allows wildcards as Redirect URI. Therefore, using a wildcard-only effectively allowing arbitrary URLS is possible misconfiguration that may be present in real-world instances.`

			`In such cases, unauthenticated and unprivileged attackers can perform the above described actions.`

			`### User with (only) App Administration Permissions`

			`A more likely scenario is an administrative user (e.g. a normal developer) having only permissions to manage applications.`

			`This relatively user could use the described attacks to perform a privilege escalation.`

			`### Workaround`

			It is recommended to upgrade to the patched version of authentik. If not possible, ensure that OAuth2 providers do not use a wildcard (`` or `.`) value as allowed redirect URI setting. (This is _not_ exploitable if part of the redirect URI has a wildcard, for example `https://foo-.*\.bar\.com`)

			`### For more information`

			`If you have any questions or comments about this advisory:`

			`- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)`