Moderate severityNVD Advisory· Published Apr 21, 2021· Updated Aug 3, 2024
Authelia allows open redirects on the logout endpoint
CVE-2021-29456
Description
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain, including potentially malicious sites. This security issue does not directly impact the security of the web application itself. As a workaround, one can use a reverse proxy to strip the query parameter from the affected endpoint. There is a patch for version 4.28.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/authelia/authelia/v4Go | < 4.28.0 | 4.28.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-36f2-fcrx-fp4jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29456ghsaADVISORY
- github.com/authelia/authelia/security/advisories/GHSA-36f2-fcrx-fp4jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.