Skip to main content

CVE-2024-52287

Reported by @matt1097

Insufficient validation of OAuth scopes for client_credentials and device_code grants

Summary

When using the client_credentials or device_code OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik.

Details

With the device_code grant, it was possible to have a user authorize a set of permitted scopes, and then acquire a token with a different set of scopes, including scopes not configured. This token could potentially be used to send requests to another system which trusts tokens signed by authentik and execute malicious actions on behalf of the user.

With the client_credentials grant, because there is no user authorization process, authentik would not validate the scopes requested for the token, allowing tokens to be issued with scopes not configured in authentik. These could similarly be used to execute malicious actions in other systems.

There is no workaround for this issue; however this issue could only be exploited if an attacker possesses a valid set of OAuth2 client_id and client_secret credentials, and has the knowledge of another system that trusts tokens issued by authentik and what scopes it checks for.

Patches

authentik 2024.8.5 and 2024.10.3 fix this issue.

For more information

If you have any questions or comments about this advisory: