CVE-2021-29456
Last modified
CVE-2021-29456 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain, including potentially malicious sites. EPSS estimates a 0.51% chance of exploitation in the next 30 days.
Description
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain, including potentially malicious sites. This security issue does not directly impact the security of the web application itself. As a workaround, one can use a reverse proxy to strip the query parameter from the affected endpoint. There is a patch for version 4.28.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Authelia | Authelia | < 4.28.0 |
References
- https://github.com/authelia/authelia/security/advisories/GHSA-36f2-fcrx-fp4jPatch, Third Party Advisory
- https://github.com/authelia/authelia/security/advisories/GHSA-36f2-fcrx-fp4jPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-29456?
How severe is CVE-2021-29456?
How do I fix CVE-2021-29456?
Are you affected by CVE-2021-29456?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST