Home > Vulnerability Database > CVE-2024-23647

Mend.io Vulnerability Database

CVE-2024-23647

Good to know:

Date: January 30, 2024

Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue.

Language: Python

Severity Score

8.8

Related Resources (4)

Url: https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-23647

Url: https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a

Url: https://www.mend.io/vulnerability-database/CVE-2024-23647

Severity Score

8.8

Weakness Type (CWE)

Authentication Issues

CWE-287

Top Fix

Upgrade Version

Upgrade to version version-2023.8.6,version/2023.10.7

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-23647

Good to know:

Date: January 30, 2024

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?