How severe is CVE-2024-52307?

This vulnerability has a severity rating of MEDIUM with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2024-52307?

This is classified as CWE-208, which is a common weakness in software security.

CVE-2024-52307 - MEDIUM Severity | CVSS N/A

Vulnerability Description

authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly. authentik 2024.8.5 and 2024.10.3 fix this issue. Since the /-/metrics/ endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik.

Related Vulnerabilities

CVE-2021-21575

CRITICAL

CVSS:9.8(Critical)

Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain an Observable Timing Discrepancy Vulnerability.

CWE-2082021

CVE-2021-43298

CRITICAL

CVSS:9.8(Critical)

The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can br...

CWE-2082021

CVE-2023-41313

CRITICAL

CVSS:9.8(Critical)

The authentication method in Apache Doris versions before 2.0.0 was vulnerable to timing attacks. Users are recommended to upgrade to version 2.0.0 + or 1.2.8, which fixes this issue.

CWE-2082023

CVE-2024-42512

HIGH

CVSS:8.6(High)

Vulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled.

CWE-2082024

CVE-2023-25529

HIGH

CVSS:8.1(High)

NVIDIA DGX H100 BMC and DGX A100 BMC contains a vulnerability in the host KVM daemon, where an unauthenticated attacker may cause a leak of another user’s session token by observing timing discrepanci...

CWE-2082023

CVE-2024-29995

HIGH

CVSS:8.1(High)

Windows Kerberos Elevation of Privilege Vulnerability

CWE-2082024