CVE-2021-29456: 
NixOS vulnerability analysis and mitigation

Authelia, an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for applications via a web portal, was found to contain an open redirect vulnerability in versions 4.27.4 and earlier. The vulnerability was discovered and disclosed on April 21, 2021, and was assigned CVE-2021-29456. The issue allows attackers to redirect users from the web application to any domain, including potentially malicious sites, through manipulation of HTTP query parameters (GitHub Advisory).

The vulnerability stems from insufficient URL validation on the logout endpoint. While other endpoints in the application properly validate domains by checking both the HTTPS protocol and domain association with the application, the logout endpoint failed to implement these checks. This oversight allows attackers to specify arbitrary redirect destinations via HTTP query parameters. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network vector attack with low complexity, requiring low privileges and user interaction (NVD).

While this vulnerability does not directly compromise the security of the web application itself, it enables attackers to conduct more convincing phishing attempts. The vulnerability is particularly dangerous because it allows attackers to leverage the trust users have in the legitimate application, as the initial redirect comes from a familiar and trusted source. This can make phishing attempts appear more credible to users who are accustomed to visiting the legitimate site (GitHub Advisory).

The vulnerability has been patched in version 4.28.0 with commit f0cb75e. For users unable to upgrade immediately, a workaround is available by using a reverse proxy to strip the query parameter from the affected endpoint. The Authelia team recommends upgrading as the preferred solution, though they are willing to consider creating back-ported fixes for users who cannot upgrade if they can provide sufficient justification (GitHub Advisory).