CVE-2021-32637: 
NixOS vulnerability analysis and mitigation

Authelia, a single sign-on multi-factor portal for web apps, was found to contain an authentication bypass vulnerability (CVE-2021-32637) that affects users utilizing nginx ngxhttpauthrequestmodule. The vulnerability was discovered in May 2021 and allows malicious actors to bypass authentication mechanisms by crafting malformed HTTP requests (GitHub Advisory).

The vulnerability affects versions v4.0.0-alpha1 to v4.29.2 of Authelia. When using nginx's ngxhttpauthrequestmodule, a malformed URI path in the HTTP request could lead to authentication bypass. While the vulnerability could theoretically affect other proxy servers, all officially supported ones except nginx prevent malformed URI paths. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.7, reflecting high attack complexity and potential for significant impact on confidentiality and integrity (GitHub Advisory).

The vulnerability allows unauthorized access to protected resources by bypassing authentication mechanisms. This could lead to significant breaches in confidentiality and integrity of protected systems, though it does not directly impact system availability (GitHub Advisory).

The vulnerability was patched in Authelia version v4.29.3. For users unable to upgrade immediately, a workaround involves adding a block in the nginx configuration that fails requests containing malformed URIs in the internal location block. A regex check can be implemented to ensure only valid characters are present in the $request_uri header (GitHub Advisory).