CVE-2024-21637
📋 TL;DR
Authentik is vulnerable to reflected Cross-Site Scripting (XSS) via JavaScript-URIs in OpenID Connect flows when using response_mode=form_post. This allows attackers to execute arbitrary JavaScript in victims' browsers, potentially leading to privilege escalation. All Authentik instances using affected versions are vulnerable.
💻 Affected Systems
- Authentik Identity Provider
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal authentication tokens, hijack user sessions, perform actions as authenticated users, and escalate privileges to administrative access.
Likely Case
Attackers could steal session cookies or authentication tokens, leading to account takeover of regular users.
If Mitigated
With proper Content Security Policy (CSP) headers and input validation, impact is limited to specific user interactions with malicious links.
🎯 Exploit Status
Requires user interaction (clicking malicious link) but exploitation is straightforward once the vulnerability is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.8.6 or 2023.10.6
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-rjpr-7w8c-gv3j
Restart Required: Yes
Instructions:
1. Backup your Authentik configuration and database. 2. Update to version 2023.8.6 (for 2023.8.x branch) or 2023.10.6 (for 2023.10.x branch). 3. Restart the Authentik service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable response_mode=form_post
allTemporarily disable OpenID Connect flows using response_mode=form_post if not required.
Implement Content Security Policy
allAdd strict CSP headers to prevent script execution from untrusted sources.
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block malicious JavaScript-URI patterns
- Monitor for suspicious authentication flows and user reports of unexpected redirects
🔍 How to Verify
Check if Vulnerable:
Check if your Authentik version is below 2023.8.6 (for 2023.8.x) or below 2023.10.6 (for 2023.10.x).Check Version:
docker exec authentik authentik version (if using Docker) or check the web interface admin panel.Verify Fix Applied:
Verify the version is 2023.8.6 or higher (for 2023.8.x) or 2023.10.6 or higher (for 2023.10.x).📡 Detection & Monitoring
Log Indicators:
- Unusual OpenID Connect authentication requests with JavaScript-URIs
- Multiple failed authentication attempts from same source with suspicious parameters
Network Indicators:
- HTTP requests containing javascript: URIs in authentication parameters
- Unexpected redirects during OIDC flows
SIEM Query:
source="authentik" AND (uri="*javascript:*" OR params="*javascript:*")🔗 References
- https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.6
- https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.6
- https://github.com/goauthentik/authentik/security/advisories/GHSA-rjpr-7w8c-gv3j
- https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.6
- https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.6
- https://github.com/goauthentik/authentik/security/advisories/GHSA-rjpr-7w8c-gv3j
