CVE-2024-23647: 
vulnerability analysis and mitigation

Authentik, an open-source Identity Provider, was found to contain a vulnerability (CVE-2024-23647) in its implementation of PKCE (Proof Key for Code Exchange). The vulnerability was discovered in versions 2023.10.0 through 2023.10.6 and versions up to 2023.8.6, and was disclosed on January 29, 2024. This security flaw allows attackers to bypass PKCE protection, which is a crucial security measure in OAuth2 for both public and confidential clients (GitHub Advisory).

The vulnerability stems from a downgrade attack possibility in the PKCE implementation. While a previous fix addressed the removal of the 'codeverifier' parameter in token requests, this vulnerability allows attackers to bypass PKCE protection by removing the 'codechallenge' parameter from the authorization request. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Moderate), with attack vector being Network, attack complexity Low, requiring no privileges but needing user interaction (GitHub Advisory).

The vulnerability enables attackers to perform code injection attacks even when OAuth clients are using PKCE, which is specifically designed to prevent such attacks. This undermines the security measures that PKCE provides against CSRF attacks and code injection attacks. The impact primarily affects the integrity of the authentication process, while confidentiality and availability remain unaffected (GitHub Advisory).

The vulnerability has been patched in Authentik versions 2023.10.7 and 2023.8.7. Users are advised to upgrade to these patched versions to protect against this security issue. The fix ensures proper validation of PKCE parameters as recommended by the OAuth BCP (GitHub Advisory, Fortiguard).