Homepage
About Snyk

Improper Authentication Affecting goauthentik.io package, versions <2023.8.4 >=2023.10.0 <2023.10.2

Severity

 Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.13% (49th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GOAUTHENTIKIO-6041974
  • published 13 Nov 2023
  • disclosed 31 Oct 2023
  • credit Ricardo Loureiro
Report a new vulnerability Found a mistake?

Introduced: 31 Oct 2023

CVE-2023-46249 Open this link in a new tab
CWE-287 Open this link in a new tab

How to fix?

Upgrade goauthentik.io to version 2023.8.4, 2023.10.2 or higher.

Overview

Affected versions of this package are vulnerable to Improper Authentication via the initial-setup flow that is used to configure the system after the first installation. When the default admin is deleted, an attacker can set the password of the default admin user without any authentication.

Workaround

This vulnerability can be mitigated by ensuring the default admin user (Username akadmin) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
9.6 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical