CVE-2023-39522
CVSS 3.1 Score 5.3 of 10 (medium)
Details
Summary
CVE-2023-39522 affects goauthentik, an open-source Identity Provider. In vulnerable configurations with a recovery flow featuring an identification stage, an attacker can ascertain the existence of usernames. This vulnerability impacts setups where the recovery flow is enabled. An attacker can enumerate user existence by inputting potential usernames and observing the clear response when a match is not found. The scope of susceptible users is defined by those with accounts on the affected system. Version upgrades to 2023.5.6 or 2023.6.2 are recommended to mitigate this issue, with no known workarounds available.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Goauthentik Authentik