SCA: security update for github.com/ory/kratos (GHSA-wc43-73w7-x2f5)

medium Tenable Cloud Security Plugin ID 419855

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version
1.3.0, given a number of preconditions, the `highest_available` setting will incorrectly assume that the
identity’s highest available AAL is `aal1` even though it really is `aal2`. This means that the
`highest_available` configuration will act as if the user has only one factor set up, for that particular
user. This means that they can call the settings and whoami endpoint without a `aal2` session, even though
that should be disallowed. An attacker would need to steal or guess a valid login OTP of a user who has
only OTP for login enabled and who has an incorrect `available_aal` value stored, to exploit this
vulnerability. All other aspects of the session (e.g. the session’s aal) are not impacted by this issue.
On the Ory Network, only 0.00066% of registered users were affected by this issue, and most of those users
appeared to be test users. Their respective AAL values have since been updated and they are no longer
vulnerable to this attack. Version 1.3.0 is not affected by this issue. As a workaround, those who require
MFA should disable the passwordless code login method. If that is not possible, check the sessions `aal`
to identify if the user has `aal1` or `aal2`. (CVE-2024-45042)

See Also

https://github.com/advisories/GHSA-wc43-73w7-x2f5

Plugin Details

Severity: Medium

ID: 419855

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.92

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:H/Au:M/C:C/I:N/A:N

CVSS Score Source: CVE-2024-45042

CVSS v3

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 3.9

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.9

Threat Score: 2.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/26/2024

Vulnerability Publication Date: 9/26/2024

Reference Information

CVE: CVE-2024-45042

cwe: CWE-287