Security

In Keycloak versions up to 26.0.6 a low severity vulnerability CVE-2024-10492 was detected. This vulnerability allows attackers with high privileges to confirm the existence of sensitive Vault files by creating resources like an LDAP provider configuration and a Vault read file. To address this issue users must upgrade to Keycloak versions 26.0.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10492.

In Keycloak versions up to 26.0.6 a high severity vulnerability CVE-2024-10270 was detected. This vulnerability allows attackers to trigger a denial of service (DoS) by exhausting system resources due to Regex complexity if untrusted data is passed to the SearchQueryUtils method. To address this issue, users must upgrade to Keycloak versions 26.0.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10270.

In Authentik versions prior to 2024.8.5 a medium severity vulnerability CVE-2024-52307 was detected. This vulnerability allows attackers to brute-force the SECRET_KEY, which secures the /-/metrics/ endpoint, due to a flaw in how comparisons are done. To fix this issue, users need to update to versions 2024.8.5 or 2024.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52307.

In Authentik versions prior to 2024.8.5 a high severity vulnerability CVE-2024-52289 was detected. This vulnerability allows attackers to bypass redirect URI validation and potentially redirect users to malicious websites. To fix this issue, users should upgrade Authentik to versions 2024.8.5 and 2024.10.3. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-52289.

In Authentik versions prior to 2024.8.5 a medium severity vulnerability CVE-2024-52287 was detected. This vulnerability allows attackers to obtain OAuth tokens with unauthorized scopes using client_credentials or device_code grants. These tokens could be used to perform malicious actions in trusted systems. To fix this issue, users need to update to versions 2024.8.5 or 2024.10.3. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52287.

In Vault Community versions from 1.2.0 up to 1.18.0 and Vault Enterprise versions from 1.2.0 up to 1.18.0, 1.17.7, 1.16.11 a medium severity vulnerability CVE-2024-8185 was detected. This vulnerability allows attackers to crash Vault clusters by sending too many requests to a specific API endpoint, which can use up all the available memory and disrupt the service. To fix this issue, users should update Vault Community to version 1.18.1 and Vault Enterprise to versions 1.18.1, 1.17.8, and 1.16.12. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8185.

In Keycloak version before 24.0.5 a high severity vulnerability CVE-2024-3656 was detected. This vulnerability allows low-privilege users to access administrative functionalities via certain endpoints in the admin REST API, potentially leading to data breaches or system compromise. To fix this issue, users should upgrade Keycloak to versions 24.0.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-3656.

In Vault Community Edition versions from 1.7.7 up to 1.17.5 and Vault Enterprise from 1.7.7 up to 1.17.5, 1.16.9, and 1.15.14 a medium severity vulnerability CVE-2024-7594 was detected. This vulnerability allows attackers to authenticate as any user on the host by exploiting an SSH certificate requested by an authorized user, potentially leading to unauthorized access to sensitive resources and data. To fix this issue, users should upgrade Vault Community Edition to version 1.17.6 and Vault Enterprise to versions 1.17.6, 1.16.10, and 1.15.15 For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-7594.

In Authentik versions prior to 2024.8.3 and 2024.6.5 a medium severity vulnerability CVE-2024-47070 was detected. This vulnerability allows attackers to bypass the password login and access any account if they can provide an invalid IP address in the X-Forwarded-For header, but only if the system trusts that header. To fix this issue, users should upgrade Authentik to versions 2024.8.3 or 2024.6.5. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-47070.