Infrastructure and Network

In Authentik versions prior to 2024.8.5 a medium severity vulnerability CVE-2024-52307 was detected. This vulnerability allows attackers to brute-force the SECRET_KEY, which secures the /-/metrics/ endpoint, due to a flaw in how comparisons are done. To fix this issue, users need to update to versions 2024.8.5 or 2024.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52307.

In Authentik versions prior to 2024.8.5 a high severity vulnerability CVE-2024-52289 was detected. This vulnerability allows attackers to bypass redirect URI validation and potentially redirect users to malicious websites. To fix this issue, users should upgrade Authentik to versions 2024.8.5 and 2024.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-52289.

In Authentik versions prior to 2024.8.5 a medium severity vulnerability CVE-2024-52287 was detected. This vulnerability allows attackers to obtain OAuth tokens with unauthorized scopes using client_credentials or device_code grants. These tokens could be used to perform malicious actions in trusted systems. To fix this issue, users need to update to versions 2024.8.5 or 2024.10.3. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52287.

In Consul Community Edition versions from 1.9.0 to 1.20.0 and Consul Enterprise versions 1.9.0 up to 1.20.0, 1.19.2, 1.18.4, and 1.15.14 a medium severity vulnerability CVE-2024-10005 was detected. This vulnerability allows attackers to bypass HTTP request path-based access controls in Layer 7 (L7) traffic intentions due to inadequate path normalization, potentially enabling unauthorized access to restricted HTTP paths. To fix this issue, users should upgrade Consul Community Edition to version 1.20.1 and Consul Enterprise to version 1.20.1, 1.19.3, 1.18.5, and 1.15.15. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-10005.

In Consul versions 1.9.0 and earlier than 1.20.1 a high severity vulnerability CVE-2024-10005 was detected. This vulnerability allows attackers to bypass HTTP request path-based access rules by using URL paths in L7 traffic intentions. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-10005.

In Consul versions 1.4.1 through 1.19.x a medium severity vulnerability CVE-2024-10086 was found. This issue could let attackers misuse user input, potentially causing a reflected XSS attack because the server response doesn’t include a Content-Type HTTP header. Currently, there is no fix for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-10086.

In Consul versions 1.9.0 through 1.20.0 a high severity vulnerability CVE-2024-10006 was detected. This vulnerability allows attackers to bypass HTTP header-based access rules by exploiting Headers in L7 traffic intentions. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-10006.

In Vault Community versions from 1.2.0 up to 1.18.0 and Vault Enterprise versions from 1.2.0 up to 1.18.0, 1.17.7, 1.16.11 a medium severity vulnerability CVE-2024-8185 was detected. This vulnerability allows attackers to crash Vault clusters by sending too many requests to a specific API endpoint, which can use up all the available memory and disrupt the service. To fix this issue, users should update Vault Community to version 1.18.1 and Vault Enterprise to versions 1.18.1, 1.17.8, and 1.16.12. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8185.

In Keycloak version before 24.0.5 a high severity vulnerability CVE-2024-3656 was detected. This vulnerability allows low-privilege users to access administrative functionalities via certain endpoints in the admin REST API, potentially leading to data breaches or system compromise. To fix this issue, users should upgrade Keycloak to versions 24.0.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-3656.