CVE & CISA-KEV Catalog

CVE-2024-52307

MEDIUM
5.6
CVSS v3
NVD

Description

authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly. authentik 2024.8.5 and 2024.10.3 fix this issue. Since the /-/metrics/ endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik.

How to fix

Remediation Available
authentikNVD
Affected:>= 2024.10.0, < 2024.10.3Fixed in:2024.10.3CVE-2024-52307derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityLow
IntegrityLow
AvailabilityLow

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploit Intelligence

0.53%probability of exploitation in 30 days
41stpercentile

Moderate risk: more likely to be exploited than 41% of all known CVEs.

References

Vendor Advisory1
Mailing List1
Embed a live status badge for CVE-2024-52307
CVE-2024-52307 severity badge

Markdown

[![CVE-2024-52307](https://tridentstack.com/cve/badge/CVE-2024-52307.svg)](https://tridentstack.com/cve/CVE-2024-52307)

HTML

<a href="https://tridentstack.com/cve/CVE-2024-52307"><img src="https://tridentstack.com/cve/badge/CVE-2024-52307.svg" alt="CVE-2024-52307"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-08-21.