db95dfe38d
* add flow authentication requirement Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add website for cve Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * flows: handle FlowNonApplicableException without policy result Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
20 lines
622 B
Markdown
20 lines
622 B
Markdown
# CVE-2022-46145
|
|
|
|
## Unauthorized user creation and potential account takeover
|
|
|
|
### Impact
|
|
|
|
With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts
|
|
|
|
### Patches
|
|
|
|
authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used.
|
|
|
|
### Workarounds
|
|
|
|
A policy can be created and bound to the `default-user-settings-flow` flow with the following contents
|
|
|
|
```python
|
|
return request.user.is_authenticated
|
|
```
|