CVE-2023-48228 : Security Advisory and Response

This article discusses the OAuth2 vulnerability with PKCE circumvention in the authentik open-source identity provider.

Understanding CVE-2023-48228

This CVE details a vulnerability where the authentik identity provider fails to properly authenticate when utilizing PKCE in OAuth2 authorization flows.

What is CVE-2023-48228?

In authentik prior to versions 2023.10.4 and 2023.8.5, the system accepted token requests without verifying the

code_verifier

, leading to a security flaw in the PKCE mechanism.

The Impact of CVE-2023-48228

The vulnerability allows malicious actors to bypass authentication checks, potentially leading to unauthorized access and security breaches.

Technical Details of CVE-2023-48228

This section delves into the specifics of the vulnerability.

Vulnerability Description

The issue lies in authentik's failure to verify the

code_verifier

during the token step, even when initiated with a

code_challenge

, prior to versions 2023.10.4 and 2023.8.5.

Affected Systems and Versions

Vendor: goauthentik
Product: authentik
Vulnerable Versions: < 2023.10.4, < 2023.8.5

Exploitation Mechanism

Attackers can exploit this vulnerability by skipping the

code_verifier

validation step, granting unauthorized access to protected resources.

Mitigation and Prevention

To secure your systems against CVE-2023-48228, follow these recommendations.

Immediate Steps to Take

Update authentik to version 2023.10.4 or 2023.8.5 to mitigate the vulnerability.
Implement additional authentication measures to enhance security.

Long-Term Security Practices

Regularly monitor and update authentication protocols within your identity provider.
Conduct security audits to identify and address any potential vulnerabilities.

Patching and Updates

Stay informed about security advisories and promptly apply patches to address known vulnerabilities.