CVE-2023-39522

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Aug 29, 2023
Updated: Sep 1, 2023
CWE ID 203

Summary

CVE-2023-39522 affects goauthentik, an open-source Identity Provider. In vulnerable configurations with a recovery flow featuring an identification stage, an attacker can ascertain the existence of usernames. This vulnerability impacts setups where the recovery flow is enabled. An attacker can enumerate user existence by inputting potential usernames and observing the clear response when a match is not found. The scope of susceptible users is defined by those with accounts on the affected system. Version upgrades to 2023.5.6 or 2023.6.2 are recommended to mitigate this issue, with no known workarounds available.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share