Description

authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs/<uuid>/view_certificate/, /api/v3/crypto/certificatekeypairs/<uuid>/view_private_key/, and /api/v3/.../used_by/. Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable. authentik 2024.4.4, 2024.6.4 and 2024.8.0 fix this issue.

INFO

Published Date :

2024-08-22T15:34:45.815Z

Last Modified :

2024-08-22T16:04:32.442Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-42490 vulnerability.

Vendors Products
Goauthentik
  • Authentik
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-42490.

URL Resource
https://github.com/goauthentik/authentik/commit/19318d4c00bb02c4ec3c4f8f15ac2e1dbe8d846c cve-icon cve-icon
https://github.com/goauthentik/authentik/commit/359b343f51524342a5ca03828e7c975a1d654b11 cve-icon cve-icon
https://github.com/goauthentik/authentik/security/advisories/GHSA-qxqc-27pr-wgc8 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact