Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain, including potentially malicious sites. This security issue does not directly impact the security of the web application itself. As a workaround, one can use a reverse proxy to strip the query parameter from the affected endpoint. There is a patch for version 4.28.0.
Published 2021-04-21 19:15:36
Updated 2021-04-27 20:43:12
Source GitHub, Inc.
View at NVD,   CVE.org
Vulnerability category: Open redirect

Exploit prediction scoring system (EPSS) score for CVE-2021-29456

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 21 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-29456

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source
4.9
MEDIUM AV:N/AC:M/Au:S/C:P/I:P/A:N
6.8
4.9
NIST
5.4
MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2.3
2.7
NIST
5.7
MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
2.1
3.6
GitHub, Inc.

CWE ids for CVE-2021-29456

References for CVE-2021-29456

Products affected by CVE-2021-29456

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!