CVE-2021-29456 MEDIUM

CVE-2021-29456: Authelia allows open redirects on the logout endpoint

Vendor Authelia
Product authelia
Weakness CWE-601 · Open redirect
Published April 21, 2021
Last update August 3, 2024

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain, including potentially malicious sites. This security issue does not directly impact the security of the web application itself. As a workaround, one can use a reverse proxy to strip the query parameter from the affected endpoint. There is a patch for version 4.28.0.

Key dates

02Disclosure timeline

April 21, 2021 CVE published
August 3, 2024 Record updated