CVE-2024-42490
📋 TL;DR
This vulnerability in authentik allows unauthenticated users to access sensitive API endpoints if they know specific object UUIDs. It affects authentik Identity Provider deployments, potentially exposing certificate data and private keys. While UUIDs are not easily guessable, this represents an authentication bypass vulnerability.
💻 Affected Systems
- authentik Identity Provider
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain private keys and certificates, enabling impersonation, MITM attacks, or complete compromise of authentication infrastructure.
Likely Case
Limited exposure of specific certificate data if UUIDs are discovered through other means like logs or information leaks.
If Mitigated
No impact if proper network segmentation and access controls prevent unauthorized API access.
🎯 Exploit Status
Exploitation requires knowledge of specific object UUIDs, which reduces likelihood of mass exploitation but enables targeted attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.4.4, 2024.6.4, or 2024.8.0
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-qxqc-27pr-wgc8
Restart Required: Yes
Instructions:
1. Backup your authentik configuration and database. 2. Update authentik to version 2024.4.4, 2024.6.4, or 2024.8.0 using your deployment method (Docker, Kubernetes, etc.). 3. Restart authentik services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to authentik API endpoints using firewall rules or network segmentation.
Reverse Proxy Authentication
allAdd authentication layer at reverse proxy level for API endpoints.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate authentik API from untrusted networks.
- Monitor API access logs for unauthorized attempts to access certificate/key endpoints.
🔍 How to Verify
Check if Vulnerable:
Check authentik version; if running version before 2024.4.4, 2024.6.4, or 2024.8.0, you are vulnerable.Check Version:
docker exec authentik authentik version (for Docker) or check deployment manifest for versionVerify Fix Applied:
After updating, verify version is 2024.4.4, 2024.6.4, or 2024.8.0 and test API endpoints require proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /api/v3/crypto/certificatekeypairs/*/view_certificate/, /api/v3/crypto/certificatekeypairs/*/view_private_key/, or /api/v3/*/used_by/ endpoints
Network Indicators:
- Unusual API traffic patterns to certificate/key endpoints from unauthorized sources
SIEM Query:
source="authentik" AND (uri_path="/api/v3/crypto/certificatekeypairs/*/view_certificate/" OR uri_path="/api/v3/crypto/certificatekeypairs/*/view_private_key/") AND http_status=200 AND user="anonymous"