Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14ODgzLTJ2bWcteHdmN84AA7PJ

Authelia's Group Changes may not have the expected results (YAML file backend)

Impact

Under very specific conditions changes to a users groups may not have the expected results.

The specific conditions are:

When these conditions are met administrators may find the changes are not taken into account by access control for longer than expected periods. While this may not necessarily be a security vulnerability it's security-adjacent and because of the unexpected nature of it and our dedication to a security-first culture we feel it's important to make users aware of this behaviour utilizing a security advisory and the existence of a fix.

This:

Patches

This behaviour was identified after it was inadvertently fixed in the master branch during the multi-cookie domain rework (i.e. between feature releases). A patch for prior versions can be provided upon request. The fix was to ensure the details are updated regardless of backend, it was a small oversight in previous functionality which made refreshing ineffectual prior to v4.37.0.

Workarounds

Ensure you restart between user database changes.

References

Permalink: https://github.com/advisories/GHSA-x883-2vmg-xwf7
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14ODgzLTJ2bWcteHdmN84AA7PJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 7 months ago
Updated: 7 months ago


CVSS Score: 1.6
CVSS vector: CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

Identifiers: GHSA-x883-2vmg-xwf7
References: Repository: https://github.com/authelia/authelia
Blast Radius: 1.0

Affected Packages

go:github.com/authelia/authelia/v4
Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 4.37.0, < 4.38.0
Fixed in: 4.38.0
All affected versions: 4.37.0, 4.37.1, 4.37.2, 4.37.3, 4.37.4, 4.37.5
All unaffected versions: 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.9.0, 4.9.1, 4.10.0, 4.11.0, 4.12.0, 4.13.0, 4.13.1, 4.14.0, 4.14.1, 4.14.2, 4.15.0, 4.15.1, 4.16.0, 4.17.0, 4.18.0, 4.18.1, 4.19.0, 4.19.1, 4.19.2, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.23.1, 4.23.2, 4.23.3, 4.24.0, 4.24.1, 4.25.0, 4.25.1, 4.25.2, 4.26.0, 4.26.1, 4.26.2, 4.27.0, 4.27.1, 4.27.2, 4.27.3, 4.27.4, 4.28.0, 4.28.1, 4.28.2, 4.29.0, 4.29.1, 4.29.2, 4.29.3, 4.29.4, 4.30.0, 4.30.1, 4.30.2, 4.30.3, 4.30.4, 4.30.5, 4.31.0, 4.32.0, 4.32.1, 4.32.2, 4.33.0, 4.33.1, 4.33.2, 4.34.0, 4.34.1, 4.34.2, 4.34.3, 4.34.4, 4.34.5, 4.34.6, 4.35.0, 4.35.1, 4.35.2, 4.35.3, 4.35.4, 4.35.5, 4.35.6, 4.36.0, 4.36.1, 4.36.2, 4.36.3, 4.36.4, 4.36.5, 4.36.6, 4.36.7, 4.36.8, 4.36.9, 4.38.0, 4.38.1, 4.38.2, 4.38.3, 4.38.4, 4.38.5, 4.38.6, 4.38.7, 4.38.8, 4.38.9, 4.38.10, 4.38.11, 4.38.12, 4.38.13, 4.38.14, 4.38.15, 4.38.16