CVE-2024-45042

Summary

CVE-2024-45042 is a vulnerability affecting the Ory Kratos identity management system, specifically versions prior to 1.3.0. Under certain conditions, the system incorrectly assumes a user's highest available Multi-Factor Authentication (MFA) level is `aal1`, when it is actually `aal2`. This misconfiguration allows users to call the settings and whoami endpoint without providing a `aal2` session, even though they should be required to. For an attacker to exploit this vulnerability, they would need to steal or guess a valid login One-Time Password (OTP) of an affected user, who has only OTP for login enabled and an incorrect `available_aal` value. Approximately 0.00066% of Ory Network's registered users were impacted, mostly consisting of test users. Version 1.3.0 is not vulnerable, and as a workaround, those requiring MFA can disable the passwordless code login method. Alternatively, check the user's session `aal` to confirm if it is `aal1` or `aal2`.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.