SCA: security update for github.com/authelia/authelia/v4 (GHSA-68wm-pfjf-wqp6)

critical Tenable Cloud Security Plugin ID 411319

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx
ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malformed HTTP
request to bypass the authentication mechanism. It additionally could theoretically affect other proxy
servers, but all of the ones we officially support except nginx do not allow malformed URI paths. The
problem is rectified entirely in v4.29.3. As this patch is relatively straightforward we can back port
this to any version upon request. Alternatively we are supplying a git patch to 4.25.1 which should be
relatively straightforward to apply to any version, the git patches for specific versions can be found in
the references. The most relevant workaround is upgrading. You can also add a block which fails requests
that contains a malformed URI in the internal location block. (CVE-2021-32637)

See Also

https://github.com/advisories/GHSA-68wm-pfjf-wqp6

Plugin Details

Severity: Critical

ID: 411319

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-32637

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/20/2021

Vulnerability Publication Date: 5/28/2021

Reference Information

CVE: CVE-2021-32637

cwe: CWE-287