CVE-2023-48228 – This vulnerability allows attackers to bypass P... (How to Fix)

Q: What is the severity of CVE-2023-48228?

CVE-2023-48228 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to bypass PKCE (Proof Key for Code Exchange) protection in authentik's OAuth2 flows. When an OAuth2 flow is initiated with a code_challenge but the attacker omits the code_verifier during token exchange, authentik accepts the request without validation. This affects all authentik deployments using OAuth2 with PKCE before the patched versions.

📋 TL;DR

This vulnerability allows attackers to bypass PKCE (Proof Key for Code Exchange) protection in authentik's OAuth2 flows. When an OAuth2 flow is initiated with a code_challenge but the attacker omits the code_verifier during token exchange, authentik accepts the request without validation. This affects all authentik deployments using OAuth2 with PKCE before the patched versions.

💻 Affected Systems

Products:

authentik

Versions: All versions before 2023.8.5 and 2023.10.4

Operating Systems: All platforms running authentik

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using OAuth2 provider with PKCE enabled. PKCE is commonly used for public clients and mobile applications.

📦 What is this software?

Authentik by Goauthentik

View all CVEs affecting Authentik →

Authentik by Goauthentik

View all CVEs affecting Authentik →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete OAuth2 authorization bypass allowing attackers to obtain access tokens without proper authentication, potentially leading to account takeover and unauthorized access to protected resources.

🟠

Likely Case

Attackers can bypass PKCE protection to obtain OAuth2 tokens, enabling unauthorized access to applications relying on authentik for authentication.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to potential token misuse within the authentication system scope.

🌐 Internet-Facing: HIGH - OAuth2 endpoints are typically internet-facing and this vulnerability allows bypassing critical authentication controls.

🏢 Internal Only: MEDIUM - Internal applications using authentik OAuth2 could be compromised, but network segmentation reduces exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires understanding of OAuth2 flows but is straightforward once the vulnerability is understood. No authentication needed to trigger the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.8.5 or 2023.10.4

Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-xxxx-xxxx-xxxx

Restart Required: Yes

Instructions:

1. Backup your authentik configuration and database. 2. Update authentik to version 2023.8.5 or 2023.10.4 using your deployment method (Docker, Kubernetes, etc.). 3. Restart authentik services. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable OAuth2 provider

all

Temporarily disable the OAuth2 provider if not essential for operations

Edit authentik configuration to disable OAuth2 provider or remove OAuth2 applications

Network isolation

all

Restrict access to OAuth2 endpoints to trusted networks only

Configure firewall rules to limit access to /application/o/token/ endpoint

🧯 If You Can't Patch

Implement WAF rules to detect and block OAuth2 token requests missing code_verifier when code_challenge was used
Increase monitoring and alerting on OAuth2 token issuance events for anomalous patterns

🔍 How to Verify

Check if Vulnerable:

Check if authentik version is below 2023.8.5 or 2023.10.4 and OAuth2 provider is enabled

Check Version:

docker exec authentik authentik version or check authentik admin interface version info

Verify Fix Applied:

After update, verify version is 2023.8.5 or higher, or 2023.10.4 or higher. Test OAuth2 flow with missing code_verifier should be rejected.

📡 Detection & Monitoring

Log Indicators:

OAuth2 token requests without code_verifier parameter
Successful token issuance without PKCE validation

Network Indicators:

HTTP POST requests to /application/o/token/ endpoint with missing code_verifier parameter

SIEM Query:

source="authentik" AND "token" AND NOT "code_verifier" AND "code_challenge"

📊 Metadata

CVE ID: CVE-2023-48228

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-287

Published: November 21, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48228, you might also want to check these: