CVE-2023-36456: 
Chainguard vulnerability analysis and mitigation

CVE-2023-36456 affects authentik, an open-source Identity Provider, in versions prior to 2023.4.3 and 2023.5.5. The vulnerability stems from the application's failure to verify the source of X-Forwarded-For and X-Real-IP headers in both Python and Go code components (Vendor Advisory). This vulnerability primarily affects authentik setups that are directly accessible by users without a reverse proxy.

The vulnerability has been assigned a CVSS v3.1 base score of 8.3 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L). The issue relates to improper validation of proxy headers, specifically X-Forwarded-For and X-Real-IP, which could allow unauthorized manipulation of IP address information (NVD).

The vulnerability has three main impact vectors: 1) Security bypass risk in flows or policies that check user IP addresses, such as bypassing two-factor authentication when connected to company networks, 2) Unreliable IP address logging in user sessions and account logs, making it impossible to verify the actual source of login attempts, and 3) Potential manipulation of IP-based verification, logging, blocking, or rate limiting in proxied applications behind an outpost (Vendor Advisory).

The vulnerability has been patched in versions 2023.4.3 and 2023.5.5. Users should upgrade to these or newer versions to mitigate the risk (Release Notes, Release Notes).