db95dfe38d
* add flow authentication requirement Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add website for cve Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * flows: handle FlowNonApplicableException without policy result Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
622 B
622 B
CVE-2022-46145
Unauthorized user creation and potential account takeover
Impact
With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts
Patches
authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used.
Workarounds
A policy can be created and bound to the default-user-settings-flow
flow with the following contents
return request.user.is_authenticated