Security

In Authentik a high severity vulnerability CVE-2024-38371 was detected. This vulnerability allows attackers to get access to the system. To address this issue, users must update to versions 2024.6.0, 2024.2.4, and 2024.4.3. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-38371/.

In Authentik a high severity vulnerability CVE-2024-37905 was detected. This vulnerability allows attackers to get admin access. To address this issue, users should update Authentik to versions 2024.6.0, 2024.2.4, and 2024.4.3. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37905/.

In FreeIPA a high severity vulnerability CVE-2024-2698 was detected. This vulnerability allows attackers to get access by bypassing the authorization. There is not solution to this yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-2698/.

In Keycloak a low severity vulnerability CVE-2024-5967 was detected. This flaw in the LDAP testing endpoint of Keycloak allows an attacker with admin access to change the LDAP connection URL to their server, potentially exposing domain credentials. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5967/.

In FreeIPA involving Kerberos TGS-REQ (Ticket Granting Service Request) a high severity vulnerability CVE-2024-3183 was detected. It allows attackers who compromise a principal to potentially decrypt tickets encrypted with other principals’ keys. By offline brute-force attacks on stolen tickets and salts, attackers could find passwords and decrypt these tickets. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-3183.

In WooCommerce a medium severity vulnerability CVE-2024-35634 was detected. This vulnerability allows attackers to include local PHP files by using recent purchases. There is no solution to this yet. For more details, visit https://www.cvedetails.com/cve/CVE-2024-35634/.

In Keycloak a high severity vulnerability CVE-2024-1132 was detected. URLs included in a redirect are not properly validated. Attackers can create malicious requests to bypass validation and access other URLs and sensitive information. It affects clients using a wildcard in the Valid Redirect URIs field and needs user interaction. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-1132/.

In the Keycloak OpenID Connect component in the “checkLoginIframe” a high severity vulnerability CVE-2024-1249 was detected. The vulnerability allows unvalidated cross-origin messages. Attackers can coordinate and send millions of requests in seconds using simple code. It significantly impacts the application’s availability without proper origin validation for incoming messages. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-1249/.

In Vault and Vault Enterprise versions from 1.14.0 up to 1.15.6 and 1.14.10 a medium severity vulnerability CVE-2024-2660 was detected. The TLS certificate authentication method failed to verify Online Certificate Status Protocol (OCSP) responses from multiple sources, potentially allowing unauthorized access. This issue is resolved in Vault version 1.16.0 and Vault Enterprise versions 1.16.1, 1.15.7, and 1.14.11. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-2660/.