GHSA-j748-h363-wqj8

### Impact

**CVSSv4 Baseline Score:** Low 2.4

**CVSSv4 Weighted Score:** Low 1.3

The full CVSSv4 Vector for this vulnerability is:

> CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/CR:H/IR:L/AR:L/MAV:N/MAC:H/MAT:P/MPR:L/MVC:L/MVI:N/MVA:N/MSC:L/MSI:N/MSA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Amber

**CVSSv3.1 Baseline Score:** Low 3.1

**CVSSv3.1 Overall Score:** Low 3.4

The full CVSSv3.1 Vector equivalent for this vulnerability is:

> CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C/CR:H/IR:L/AR:L/MAV:N/MAC:H/MPR:L/MUI:X/MS:U/MC:L/MI:N/MA:N

The weighted severity rating is a result of no indication this is currently being exploited being available at the time of the publish date, in addition to the fact it's unlikely that it is being exploited currently. The vectors have been picked based on the scenario most likely to exist in real configurations.

In addition to the weighting our assessment considers the fact the configuration scenario required for this vulnerability to be exploited is highly unlikely and an attacker is unlikely in most scenarios to be able to determine if the exploit is available and if it was successful except in rare situations. Though the visibility to the attacker was not reflected in our assessment.

### Summary

Due to lack of canonicalization of domains in very specific edge cases an access control rule may be skipped when it should match a request.

### Details

This attack vector must be executed in a highly specific scenario which we do not believe any user would find themselves in. In an abundance of caution we are issuing this advisory and would appreciate any users who find this configuration report it to us with both the access control section, and sessions section so that we can best advise the community of the actual impact.

The specific conditions that could lead to a security issue for vulnerability are as follows:

1. The specific target resource of the attack must be using the forwarded authorization integration. 2. The requested domain must have two additional segments compared to a session domain i.e. `a.b.example.com` is requested, but the session domain is `example.com`. 3. There access control rules must specify two separate rules which both contain inexact domain matches such as `*.b.example.com` and `*.example.com` i.e. wildcards, username matches, group matches. 4. The rules must be in order of most specific domain to least specific domain. 5. The second rule must be **more permissive** than the first rule. 6. The second rule must also **match all criteria** of the given request. 7. The attacker must specifically request a URL for the more specific domain, with the second part containing one or more capitalized letters i.e. `https://a.B.example.com` and no other segment with capitalized letters. 8. The integration used must not be the Envoy ExtAuthz integration. 9. The proxy must not canonicalize the requested host name in the relevant header before sending it to the relevant authorization endpoint.

The kind of configuration used to produce this issue and result in a `bypass` rule being matched has long been highly discouraged. Essentially hosts which should be bypassed entirely should not be secured by having the proxy check them with the authorization handlers.

It should also be noted this has been heavily mitigated due to another bug where the session domain would not match if any part of the configured session domain was capitalized (fixed in https://github.com/authelia/authelia/commit/368631ecc5a9c6bcf2ff5f892ad443b890dd945e, it should be expressly noted this commit does not contain a fix for a CVE). This bug would prevent the request from succeeding in any way. This bug will also be fixed after this vulnerability is fixed, and the bug where session domains would not match has no security impact other than heavily mitigating the access control vulnerability.

### Patches

Upgrade to 4.39.20.

Commit: https://github.com/authelia/authelia/commit/b6d1d60baa02f216fdb19f5dfeaf2e805829508a

### Workarounds

See the below examples for configurations to avoid.

#### Examples

##### 1FA Downgrade

The following example could result in a 1FA downgrade.

**Request URL:** `https://a.B.example.com`

**Configuration:**

```yaml session: cookies: - domain: 'example.com' authelia_url: 'https://example.com' access_control: rules: - domain: '*.b.example.com' policy: 'two_factor' - domain: '*.example.com' policy: 'one_factor' ```

##### Bypass Downgrade

The following example could result in a bypass downgrade. It should be noted that configurations like this have long been discouraged. The domains matching the pattern `*.example.com` should not be configured to forward authorization requests to Authelia in most situations.

**Request URL:** `https://a.B.example.com`

**Configuration:**

```yaml session: cookies: - domain: 'example.com' authelia_url: 'https://example.com' access_control: rules: - domain: '*.b.example.com' policy: 'two_factor' - domain: '*.example.com' policy: 'bypass' ```

##### Unaffected Scenario

The following configuration is unaffected regardless of the request.

```yaml session: cookies: - domain: 'example.com' authelia_url: 'https://example.com' access_control: rules: - domain: 'b.example.com' policy: 'two_factor' - domain: '*.example.com' policy: 'one_factor' ```