CVE Vulnerability

CVE-2021-29456

Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain, including potentially malicious sites. This security issue does not directly impact the security of the web application itself. As a workaround, one can use a reverse proxy to strip the query parameter from the affected endpoint. There is a patch for version 4.28.0.

4.9 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

5.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/authelia/authelia/security/advisories/GHSA-36f2-fcrx-fp4j Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:authelia:authelia:*:*:*:*:*:*:*:*
Information

Published : 2021-04-21 07:15

Updated : 2021-04-27 08:43

NVD link : CVE-2021-29456

Mitre link : CVE-2021-29456

Products Affected
No products.
CWE
CWE-601

URL Redirection to Untrusted Site ('Open Redirect')