Improper Authorization Affecting github.com/authelia/authelia/v4/internal/handlers package, versions >=4.37.0 <4.38.0
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMAUTHELIAAUTHELIAV4INTERNALHANDLERS-6672886
- published 24 Apr 2024
- disclosed 22 Apr 2024
- credit ezrizhu
How to fix?
Upgrade github.com/authelia/authelia/v4/internal/handlers to version 4.38.0 or higher.
Overview
Affected versions of this package are vulnerable to Improper Authorization. Under very specific conditions, changes to a user's groups may not have the expected results when the file authentication backend is used with the watch option set to true, the refresh_interval is configured to a non-disabled value, and the user's groups are adjusted by an administrator. This can lead to situations where administrators may find that access control changes are not taken into account for longer than expected periods.
Note
This vulnerability can't have an impact on unauthenticated users.
This vulnerability can't have an impact on configurations utilizing the LDAP backend.
This vulnerability can't be directly or indirectly caused by a user's or third party's actions.
Workaround
Ensure you restart between user database changes.