Bitnami package
authentik
pkg:bitnami/authentik
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-46249 | — | < 2023.8.4 | 2023.8.4 | Oct 31, 2023 | authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint t | ||
| CVE-2023-39522 | — | < 2023.5.6 | 2023.5.6 | Aug 29, 2023 | goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system | ||
| CVE-2023-36456 | — | < 2023.4.3 | 2023.4.3 | Jul 6, 2023 | authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without | ||
| CVE-2023-26481 | — | < 2022.12.3 | 2022.12.3 | Mar 4, 2023 | authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, whi | ||
| CVE-2022-46172 | — | >= 2022.10.0, < 2022.10.4 | 2022.10.4 | Dec 28, 2022 | authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where | ||
| CVE-2022-23555 | — | < 2022.10.4 | 2022.10.4 | Dec 28, 2022 | authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than | ||
| CVE-2022-46145 | — | < 2022.10.2 | 2022.10.2 | Dec 2, 2022 | authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows f |
- CVE-2023-46249Oct 31, 2023affected < 2023.8.4fixed 2023.8.4
authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint t
- CVE-2023-39522Aug 29, 2023affected < 2023.5.6fixed 2023.5.6
goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system
- CVE-2023-36456Jul 6, 2023affected < 2023.4.3fixed 2023.4.3
authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without
- CVE-2023-26481Mar 4, 2023affected < 2022.12.3fixed 2022.12.3
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, whi
- CVE-2022-46172Dec 28, 2022affected >= 2022.10.0, < 2022.10.4fixed 2022.10.4
authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where
- CVE-2022-23555Dec 28, 2022affected < 2022.10.4fixed 2022.10.4
authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than
- CVE-2022-46145Dec 2, 2022affected < 2022.10.2fixed 2022.10.2
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows f
Page 2 of 2