Moderate severityNVD Advisory· Published Apr 21, 2021· Updated Aug 3, 2024
Authelia allows open redirects on the logout endpoint
CVE-2021-29456
Description
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain, including potentially malicious sites. This security issue does not directly impact the security of the web application itself. As a workaround, one can use a reverse proxy to strip the query parameter from the affected endpoint. There is a patch for version 4.28.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/authelia/authelia/v4Go | < 4.28.0 | 4.28.0 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-36f2-fcrx-fp4jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29456ghsaADVISORY
- github.com/authelia/authelia/security/advisories/GHSA-36f2-fcrx-fp4jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.