CVE-2022-46145
Published: 02 December 2022
Summary
CVE-2022-46145 is a high-severity Improper Authentication (CWE-287) vulnerability in Goauthentik Authentik. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 16.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-48983
Vulnerability details
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows…
more
for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session content review can reveal authentication bypasses or failures in session establishment.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.
Documented IA policy and procedures require proper authentication mechanisms to be defined and followed, reducing improper authentication.
Requires adaptive authentication under specific conditions, directly strengthening authentication mechanisms against improper or insufficient authentication.
Identity providers centralize and enforce authentication mechanisms, reducing improper authentication.
Requires unique identification and authentication of organizational users, directly preventing improper authentication.
Enforces unique device identification and authentication before any connection is established, directly mitigating improper authentication weaknesses.
Directly requires implementation of compliant authentication mechanisms to cryptographic modules, preventing improper authentication.