Vulnerabilites related to zitadel - zitadel
CVE-2024-28197 (GCVE-0-2024-28197)
Vulnerability from cvelistv5
Published
2024-03-11 19:48
Modified
2024-08-26 18:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim’s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.44.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.45.1",
"status": "affected",
"version": "2.45.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T18:13:08.740406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T18:14:26.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.44.3"
},
{
"status": "affected",
"version": "\u003e= 2.45.0, \u003c 2.45.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim\u2019s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-11T19:48:11.008Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"
}
],
"source": {
"advisory": "GHSA-mq4x-r2w3-j7mr",
"discovery": "UNKNOWN"
},
"title": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA]"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28197",
"datePublished": "2024-03-11T19:48:11.008Z",
"dateReserved": "2024-03-06T17:35:00.860Z",
"dateUpdated": "2024-08-26T18:14:26.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46238 (GCVE-0-2023-46238)
Vulnerability from cvelistv5
Published
2023-10-26 14:22
Modified
2024-09-17 14:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
ZITADEL is an identity infrastructure management system. ZITADEL users can upload their own avatar image using various image types including SVG. SVG can include scripts, such as javascript, which can be executed during rendering. Due to a missing security header, an attacker could inject code to an SVG to gain access to the victim’s account in certain scenarios. A victim would need to directly open the malicious image in the browser, where a single session in ZITADEL needs to be active for this exploit to work. If the possible victim had multiple or no active sessions in ZITADEL, the attack would not succeed. This issue has been patched in version 2.39.2 and 2.38.2.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:40.152Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-954h-jrpm-72pm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-954h-jrpm-72pm"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.38.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.39.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.39.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T19:21:11.357429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T14:00:54.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.38.2"
},
{
"status": "affected",
"version": "\u003e= 2.39.0, \u003c 2.39.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an identity infrastructure management system. ZITADEL users can upload their own avatar image using various image types including SVG. SVG can include scripts, such as javascript, which can be executed during rendering. Due to a missing security header, an attacker could inject code to an SVG to gain access to the victim\u2019s account in certain scenarios. A victim would need to directly open the malicious image in the browser, where a single session in ZITADEL needs to be active for this exploit to work. If the possible victim had multiple or no active sessions in ZITADEL, the attack would not succeed. This issue has been patched in version 2.39.2 and 2.38.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-26T14:22:52.496Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-954h-jrpm-72pm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-954h-jrpm-72pm"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.38.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.39.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.39.2"
}
],
"source": {
"advisory": "GHSA-954h-jrpm-72pm",
"discovery": "UNKNOWN"
},
"title": "XSS with User Avatar image in ZITADEL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46238",
"datePublished": "2023-10-26T14:22:52.496Z",
"dateReserved": "2023-10-19T20:34:00.947Z",
"dateUpdated": "2024-09-17T14:00:54.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44399 (GCVE-0-2023-44399)
Vulnerability from cvelistv5
Published
2023-10-10 16:55
Modified
2024-09-19 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Summary
ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:32.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.37.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.37.3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.38.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44399",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T14:17:59.037219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T14:18:10.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.37.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called \"Ignoring unknown usernames\" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-10T16:55:45.309Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.37.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.37.3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.38.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.0"
}
],
"source": {
"advisory": "GHSA-v683-rcxx-vpff",
"discovery": "UNKNOWN"
},
"title": "ZITADEL\u0027s password reset does not respect the \"Ignoring unknown usernames\" setting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-44399",
"datePublished": "2023-10-10T16:55:45.309Z",
"dateReserved": "2023-09-28T17:56:32.614Z",
"dateUpdated": "2024-09-19T14:18:10.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48936 (GCVE-0-2025-48936)
Vulnerability from cvelistv5
Published
2025-05-30 06:30
Modified
2025-05-30 13:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. This specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This issue has been patched in versions 2.70.12, 2.71.10, and 3.2.2.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T13:06:39.523979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T13:06:54.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.70.12"
},
{
"status": "affected",
"version": "\u003e= 2.71.0, \u003c= 2.71.10"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user\u0027s password and gain unauthorized access to their account. This specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This issue has been patched in versions 2.70.12, 2.71.10, and 3.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T06:30:57.792Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-93m4-mfpg-c3xf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-93m4-mfpg-c3xf"
},
{
"name": "https://github.com/zitadel/zitadel/commit/c097887bc5f680e12c998580fb56d98a15758f53",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/c097887bc5f680e12c998580fb56d98a15758f53"
}
],
"source": {
"advisory": "GHSA-93m4-mfpg-c3xf",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48936",
"datePublished": "2025-05-30T06:30:57.792Z",
"dateReserved": "2025-05-28T18:49:07.577Z",
"dateUpdated": "2025-05-30T13:06:54.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28855 (GCVE-0-2024-28855)
Vulnerability from cvelistv5
Published
2024-03-18 21:46
Modified
2024-08-13 14:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:56:58.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.41.15",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.41.15"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.15",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.15"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.41.15",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.42.15",
"status": "affected",
"version": "2.42.0",
"versionType": "custom"
},
{
"lessThan": "2.43.9",
"status": "affected",
"version": "2.43.0",
"versionType": "custom"
},
{
"lessThan": "2.44.3",
"status": "affected",
"version": "2.44.0",
"versionType": "custom"
},
{
"lessThan": "2.47.4",
"status": "affected",
"version": "2.47.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:2.45.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "2.45.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:2.46.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "2.46.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-19T15:00:40.963408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T14:19:08.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.41.15"
},
{
"status": "affected",
"version": "\u003e= 2.42.0, \u003c 2.42.15"
},
{
"status": "affected",
"version": "\u003e= 2.43.0, \u003c 2.43.9"
},
{
"status": "affected",
"version": "\u003e= 2.44.0, \u003c 2.44.3"
},
{
"status": "affected",
"version": "= 2.45.0"
},
{
"status": "affected",
"version": "= 2.46.0"
},
{
"status": "affected",
"version": "\u003e= 2.47.0, \u003c 2.47.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-18T21:46:47.314Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.41.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.41.15"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.15"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.3"
}
],
"source": {
"advisory": "GHSA-hfrg-4jwr-jfpj",
"discovery": "UNKNOWN"
},
"title": "ZITADEL vulnerable to improper HTML sanitization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28855",
"datePublished": "2024-03-18T21:46:47.314Z",
"dateReserved": "2024-03-11T22:45:07.686Z",
"dateUpdated": "2024-08-13T14:19:08.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46815 (GCVE-0-2025-46815)
Vulnerability from cvelistv5
Published
2025-05-06 17:13
Modified
2025-05-06 18:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T18:20:59.907100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T18:21:14.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-rc.1, \u003c 3.0.0"
},
{
"status": "affected",
"version": "\u003c 2.70.10"
},
{
"status": "affected",
"version": "\u003e= 2.71.0, \u003c 2.71.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application\u2019s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It\u0027s important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T17:13:53.878Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq"
},
{
"name": "https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.70.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.10"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v3.0.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v3.0.0"
}
],
"source": {
"advisory": "GHSA-g4r8-mp7g-85fq",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Allows IdP Intent Token Reuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46815",
"datePublished": "2025-05-06T17:13:53.878Z",
"dateReserved": "2025-04-30T19:41:58.133Z",
"dateUpdated": "2025-05-06T18:21:14.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49097 (GCVE-0-2023-49097)
Vulnerability from cvelistv5
Published
2023-11-30 04:45
Modified
2024-11-27 15:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Summary
ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:28.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T15:55:31.497684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T15:55:49.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.39.0, \u003c 2.39.9"
},
{
"status": "affected",
"version": "\u003e= 2.40.0, \u003c 2.40.10"
},
{
"status": "affected",
"version": "\u003e= 2.41.0, \u003c 2.41.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-30T04:45:49.675Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"
}
],
"source": {
"advisory": "GHSA-2wmj-46rj-qm2w",
"discovery": "UNKNOWN"
},
"title": "ZITADEL vulnerable account takeover via malicious host header injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49097",
"datePublished": "2023-11-30T04:45:49.675Z",
"dateReserved": "2023-11-21T18:57:30.430Z",
"dateUpdated": "2024-11-27T15:55:49.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32967 (GCVE-0-2024-32967)
Vulnerability from cvelistv5
Published
2024-05-01 06:43
Modified
2024-08-02 02:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Zitadel is an open source identity management system. In case ZITADEL could not connect to the database, connection information including db name, username and db host name could be returned to the user. This has been addressed in all supported release branches in a point release. There is no workaround since a patch is already available. Users are advised to upgrade.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.45.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.46.7",
"status": "affected",
"version": "2.46.0",
"versionType": "custom"
},
{
"lessThan": "2.47.10",
"status": "affected",
"version": "2.47.0",
"versionType": "custom"
},
{
"lessThan": "2.48.5",
"status": "affected",
"version": "2.48.0",
"versionType": "custom"
},
{
"lessThan": "2.49.5",
"status": "affected",
"version": "2.49.0",
"versionType": "custom"
},
{
"lessThan": "2.50.3",
"status": "affected",
"version": "2.50.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T17:12:34.287616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:39:20.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:27:53.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945"
},
{
"name": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.45.7"
},
{
"status": "affected",
"version": "\u003e= 2.46.0,\u003c 2.46.7"
},
{
"status": "affected",
"version": "\u003e= 2.47.0, \u003c 2.47.10"
},
{
"status": "affected",
"version": "\u003e= 2.48.0, \u003c 2.48.5"
},
{
"status": "affected",
"version": "\u003e= 2.49.0, \u003c 2.49.5"
},
{
"status": "affected",
"version": "\u003e= 2.50.0, \u003c 2.50.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. In case ZITADEL could not connect to the database, connection information including db name, username and db host name could be returned to the user. This has been addressed in all supported release branches in a point release. There is no workaround since a patch is already available. Users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T16:35:43.712Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945"
},
{
"name": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3"
}
],
"source": {
"advisory": "GHSA-q5qj-x2h5-3945",
"discovery": "UNKNOWN"
},
"title": "Zitadel exposes internal database user name and host information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32967",
"datePublished": "2024-05-01T06:43:36.137Z",
"dateReserved": "2024-04-22T15:14:59.165Z",
"dateUpdated": "2024-08-02T02:27:53.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36051 (GCVE-0-2022-36051)
Vulnerability from cvelistv5
Published
2022-08-31 22:40
Modified
2025-04-23 17:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-436 - Interpretation Conflict
Summary
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.984Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36051",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:50:25.436773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:33:14.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.2.0"
},
{
"status": "affected",
"version": "\u003e= 1.42.0, \u003c 1.87.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-31T22:40:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0"
}
],
"source": {
"advisory": "GHSA-c8fj-4pm8-mp2c",
"discovery": "UNKNOWN"
},
"title": "Broken Authorization in ZITADEL Actions",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36051",
"STATE": "PUBLIC",
"TITLE": "Broken Authorization in ZITADEL Actions"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "zitadel",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.0.0, \u003c 2.2.0"
},
{
"version_value": "\u003e= 1.42.0, \u003c 1.87.1"
}
]
}
}
]
},
"vendor_name": "zitadel"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-436: Interpretation Conflict"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c",
"refsource": "CONFIRM",
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1",
"refsource": "MISC",
"url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0",
"refsource": "MISC",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0"
}
]
},
"source": {
"advisory": "GHSA-c8fj-4pm8-mp2c",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36051",
"datePublished": "2022-08-31T22:40:10.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:33:14.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49757 (GCVE-0-2024-49757)
Vulnerability from cvelistv5
Published
2024-10-25 14:22
Modified
2024-10-25 16:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49757",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T15:04:07.205517Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T16:14:16.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.63, \u003c 2.63.5"
},
{
"status": "affected",
"version": "\u003e= 2.62, \u003c 2.62.7"
},
{
"status": "affected",
"version": "\u003e= 2.61, \u003c 2.61.3"
},
{
"status": "affected",
"version": "\u003e= 2.60, \u003c 2.60.3"
},
{
"status": "affected",
"version": "\u003e= 2.59, \u003c 2.59.4"
},
{
"status": "affected",
"version": "\u003c 2.58.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the \"User Registration allowed\" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:22:49.500Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.58.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.58.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.59.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.59.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.60.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.60.4"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.61.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.61.4"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.62.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.62.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.63.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.64.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.0"
}
],
"source": {
"advisory": "GHSA-3rmw-76m6-4gjc",
"discovery": "UNKNOWN"
},
"title": "Zitadel User Registration Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49757",
"datePublished": "2024-10-25T14:22:49.500Z",
"dateReserved": "2024-10-18T13:43:23.454Z",
"dateUpdated": "2024-10-25T16:14:16.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47060 (GCVE-0-2024-47060)
Vulnerability from cvelistv5
Published
2024-09-19 23:08
Modified
2024-09-20 15:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47060",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:27:59.964305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T15:28:08.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.62.1"
},
{
"status": "affected",
"version": "\u003e= 2.61.0, \u003c 2.61.1"
},
{
"status": "affected",
"version": "\u003e= 2.60.0, \u003c 2.60.2"
},
{
"status": "affected",
"version": "\u003e= 2.59.0, \u003c 2.59.3"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.5"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.6"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.8"
},
{
"status": "affected",
"version": "\u003c 2.54.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization\u0027s lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T23:08:01.375Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8"
}
],
"source": {
"advisory": "GHSA-jj94-6f5c-65r8",
"discovery": "UNKNOWN"
},
"title": "Unauthorized Access After Organization or Project Deactivation in Zitadel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47060",
"datePublished": "2024-09-19T23:08:01.375Z",
"dateReserved": "2024-09-17T17:42:37.027Z",
"dateUpdated": "2024-09-20T15:28:08.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39683 (GCVE-0-2024-39683)
Vulnerability from cvelistv5
Published
2024-07-03 19:20
Modified
2024-08-02 04:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.54.5",
"status": "affected",
"version": "2.54.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "2.55.0"
},
{
"lessThan": "2.53.8",
"status": "affected",
"version": "2.53.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39683",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-05T18:26:22.872833Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T16:54:43.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397"
},
{
"name": "https://github.com/zitadel/zitadel/issues/8213",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/issues/8213"
},
{
"name": "https://github.com/zitadel/zitadel/pull/8231",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/pull/8231"
},
{
"name": "https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04"
},
{
"name": "https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da"
},
{
"name": "https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73"
},
{
"name": "https://discord.com/channels/927474939156643850/1254096852937347153",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discord.com/channels/927474939156643850/1254096852937347153"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.53.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.54.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.55.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "= 2.55.0"
},
{
"status": "affected",
"version": "\u003e= 2.54.0, \u003c 2.54.5"
},
{
"status": "affected",
"version": "\u003e= 2.53.0, \u003c 2.53.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user\u0027s sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T19:20:08.880Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397"
},
{
"name": "https://github.com/zitadel/zitadel/issues/8213",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/issues/8213"
},
{
"name": "https://github.com/zitadel/zitadel/pull/8231",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/pull/8231"
},
{
"name": "https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04"
},
{
"name": "https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da"
},
{
"name": "https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73"
},
{
"name": "https://discord.com/channels/927474939156643850/1254096852937347153",
"tags": [
"x_refsource_MISC"
],
"url": "https://discord.com/channels/927474939156643850/1254096852937347153"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.53.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.54.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.55.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.1"
}
],
"source": {
"advisory": "GHSA-cvw9-c57h-3397",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Vulnerable to Session Information Leakage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39683",
"datePublished": "2024-07-03T19:20:08.880Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:15.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47111 (GCVE-0-2023-47111)
Vulnerability from cvelistv5
Published
2023-11-08 21:42
Modified
2024-09-12 18:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Summary
ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum. Exceeding the limit, will lock the user and prevent further authentication. In the affected implementation it was possible for an attacker to start multiple parallel password checks, giving him the possibility to try out more combinations than configured in the `Lockout Policy`. This vulnerability has been patched in versions 2.40.5 and 2.38.3.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.673Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m"
},
{
"name": "https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.38.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.40.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.40.5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T14:23:18.808321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T18:59:25.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.39.0, \u003c 2.40.5"
},
{
"status": "affected",
"version": "\u003c 2.38.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum. Exceeding the limit, will lock the user and prevent further authentication. In the affected implementation it was possible for an attacker to start multiple parallel password checks, giving him the possibility to try out more combinations than configured in the `Lockout Policy`. This vulnerability has been patched in versions 2.40.5 and 2.38.3.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-08T21:42:27.853Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m"
},
{
"name": "https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.38.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.40.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.40.5"
}
],
"source": {
"advisory": "GHSA-7h8m-vrxx-vr4m",
"discovery": "UNKNOWN"
},
"title": "ZITADEL race condition in lockout policy execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47111",
"datePublished": "2023-11-08T21:42:27.853Z",
"dateReserved": "2023-10-30T19:57:51.673Z",
"dateUpdated": "2024-09-12T18:59:25.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47000 (GCVE-0-2024-47000)
Vulnerability from cvelistv5
Published
2024-09-19 23:10
Modified
2024-09-20 15:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account's password.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.54.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.55.8",
"status": "affected",
"version": "2.55.0",
"versionType": "custom"
},
{
"lessThan": "2.56.6",
"status": "affected",
"version": "2.56.0",
"versionType": "custom"
},
{
"lessThan": "2.57.5",
"status": "affected",
"version": "2.57.0",
"versionType": "custom"
},
{
"lessThan": "2.58.5",
"status": "affected",
"version": "2.58.0",
"versionType": "custom"
},
{
"lessThan": "2.59.3",
"status": "affected",
"version": "2.59.0",
"versionType": "custom"
},
{
"lessThan": "2.60.2",
"status": "affected",
"version": "2.60.0",
"versionType": "custom"
},
{
"lessThan": "2.61.1",
"status": "affected",
"version": "2.61.0",
"versionType": "custom"
},
{
"lessThan": "2.62.1",
"status": "affected",
"version": "2.62.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47000",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:39:20.211544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T15:42:00.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.62.1"
},
{
"status": "affected",
"version": "\u003e= 2.61.0, \u003c 2.61.1"
},
{
"status": "affected",
"version": "\u003e= 2.60.0, \u003c 2.60.2"
},
{
"status": "affected",
"version": "\u003e= 2.59.0, \u003c 2.59.3"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.5"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.6"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.8"
},
{
"status": "affected",
"version": "\u003c 2.54.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. ZITADEL\u0027s user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account\u0027s password."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T23:10:33.882Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393"
}
],
"source": {
"advisory": "GHSA-qr2h-7pwm-h393",
"discovery": "UNKNOWN"
},
"title": "Service Users Deactivation not Working in Zitadel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47000",
"datePublished": "2024-09-19T23:10:33.882Z",
"dateReserved": "2024-09-16T16:10:09.022Z",
"dateUpdated": "2024-09-20T15:42:00.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27507 (GCVE-0-2025-27507)
Vulnerability from cvelistv5
Published
2025-03-04 16:43
Modified
2025-03-12 21:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zitadel | zitadel |
Version: >= 2.63.0-rc.1, < 2.63.8 Version: >= 2.64.0-rc.1, < 2.64.5 Version: >= 2.66.0-rc.1, < 2.66.11 Version: >= 2.67.0-rc.1, < 2.67.8 Version: >= 2.68.0-rc.1, < 2.68.4 Version: >= 2.69.0-rc.1, < 2.69.4 Version: >= 2.70.0-rc.1, < 2.70.1 Version: >= 2.65.0-rc.1, < 2.65.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T17:05:51.380213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T21:11:10.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.63.0-rc.1, \u003c 2.63.8"
},
{
"status": "affected",
"version": "\u003e= 2.64.0-rc.1, \u003c 2.64.5"
},
{
"status": "affected",
"version": "\u003e= 2.66.0-rc.1, \u003c 2.66.11"
},
{
"status": "affected",
"version": "\u003e= 2.67.0-rc.1, \u003c 2.67.8"
},
{
"status": "affected",
"version": "\u003e= 2.68.0-rc.1, \u003c 2.68.4"
},
{
"status": "affected",
"version": "\u003e= 2.69.0-rc.1, \u003c 2.69.4"
},
{
"status": "affected",
"version": "\u003e= 2.70.0-rc.1, \u003c 2.70.1"
},
{
"status": "affected",
"version": "\u003e= 2.65.0-rc.1, \u003c 2.65.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL\u0027s Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T16:43:22.529Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x"
},
{
"name": "https://github.com/zitadel/zitadel/commit/d9d8339813f1c43d3eb7d8d80f11fdabb2fd2ee4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/d9d8339813f1c43d3eb7d8d80f11fdabb2fd2ee4"
}
],
"source": {
"advisory": "GHSA-f3gh-529w-v32x",
"discovery": "UNKNOWN"
},
"title": "IDOR Vulnerabilities in ZITADEL\u0027s Admin API that Primarily Impact LDAP Configurations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27507",
"datePublished": "2025-03-04T16:43:22.529Z",
"dateReserved": "2025-02-26T18:11:52.305Z",
"dateUpdated": "2025-03-12T21:11:10.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41953 (GCVE-0-2024-41953)
Vulnerability from cvelistv5
Published
2024-07-31 16:42
Modified
2024-08-01 13:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker, without privileges, could send out altered notifications that are part of the registration processes. An attacker could create a malicious link, where the injected code would be rendered as part of the email. On the user's detail page, the username was also not sanitized and would also render HTML, giving an attacker the same vulnerability. While it was possible to inject HTML including javascript, the execution of such scripts would be prevented by most email clients and the Content Security Policy in Console UI. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8 2.53.9, and 2.52.3.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T13:48:22.254696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T13:48:32.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.52.0, \u003c 2.52.3"
},
{
"status": "affected",
"version": "\u003e= 2.53.0, \u003c 2.53.9"
},
{
"status": "affected",
"version": "\u003e= 2.54.0, \u003c 2.54.8"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.2"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.1"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker, without privileges, could send out altered notifications that are part of the registration processes. An attacker could create a malicious link, where the injected code would be rendered as part of the email. On the user\u0027s detail page, the username was also not sanitized and would also render HTML, giving an attacker the same vulnerability. While it was possible to inject HTML including javascript, the execution of such scripts would be prevented by most email clients and the Content Security Policy in Console UI. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8 2.53.9, and 2.52.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T16:42:33.125Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v333-7h2p-5fhv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v333-7h2p-5fhv"
},
{
"name": "https://github.com/zitadel/zitadel/commit/0e1f99e987b5851caec45a72660fe9f67e425747",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/0e1f99e987b5851caec45a72660fe9f67e425747"
},
{
"name": "https://github.com/zitadel/zitadel/commit/38da602ee1cfc35c0d7918c298fbfc3f3674133b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/38da602ee1cfc35c0d7918c298fbfc3f3674133b"
},
{
"name": "https://github.com/zitadel/zitadel/commit/4b59cac67bb89c1f3f84a2041dd273d11151d29f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/4b59cac67bb89c1f3f84a2041dd273d11151d29f"
},
{
"name": "https://github.com/zitadel/zitadel/commit/c1a3fc72dde16e987d8a09aa291e7c2edfc928f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/c1a3fc72dde16e987d8a09aa291e7c2edfc928f7"
},
{
"name": "https://github.com/zitadel/zitadel/commit/c353f82f89c6982c0888c6763363296cf4263cb2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/c353f82f89c6982c0888c6763363296cf4263cb2"
},
{
"name": "https://github.com/zitadel/zitadel/commit/d04ac6df8f2f0243e649b802a8bfa6176cef0923",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/d04ac6df8f2f0243e649b802a8bfa6176cef0923"
},
{
"name": "https://github.com/zitadel/zitadel/commit/f846616a3f022e88e3ea8cea05d3254ad86f1615",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/f846616a3f022e88e3ea8cea05d3254ad86f1615"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.52.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.52.3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.53.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.54.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.55.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.56.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.56.2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.57.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.57.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.58.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.58.1"
}
],
"source": {
"advisory": "GHSA-v333-7h2p-5fhv",
"discovery": "UNKNOWN"
},
"title": "Zitadel improperly sanitizes HTML in emails and Console UI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41953",
"datePublished": "2024-07-31T16:42:33.125Z",
"dateReserved": "2024-07-24T16:51:40.949Z",
"dateUpdated": "2024-08-01T13:48:32.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22492 (GCVE-0-2023-22492)
Vulnerability from cvelistv5
Published
2023-01-11 19:42
Modified
2025-03-10 21:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-613 - Insufficient Session Expiration
Summary
ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8"
},
{
"name": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83"
},
{
"name": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:00:16.231923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:30:41.038Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.17.0, \u003c 2.17.3"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.16.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user\u0027s session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user\u2019s session was already terminated (\u201clogged out\u201d) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-11T19:42:50.505Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8"
},
{
"name": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83"
},
{
"name": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2"
}
],
"source": {
"advisory": "GHSA-6rrr-78xp-5jp8",
"discovery": "UNKNOWN"
},
"title": "RefreshToken invalidation vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22492",
"datePublished": "2023-01-11T19:42:50.505Z",
"dateReserved": "2022-12-29T17:41:28.089Z",
"dateUpdated": "2025-03-10T21:30:41.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46999 (GCVE-0-2024-46999)
Vulnerability from cvelistv5
Published
2024-09-19 23:11
Modified
2024-09-20 15:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.54.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.55.8",
"status": "affected",
"version": "2.55.0",
"versionType": "custom"
},
{
"lessThan": "2.56.6",
"status": "affected",
"version": "2.56.0",
"versionType": "custom"
},
{
"lessThan": "2.57.5",
"status": "affected",
"version": "2.57.0",
"versionType": "custom"
},
{
"lessThan": "2.58.5",
"status": "affected",
"version": "2.58.0",
"versionType": "custom"
},
{
"lessThan": "2.59.3",
"status": "affected",
"version": "2.59.0",
"versionType": "custom"
},
{
"lessThan": "2.60.2",
"status": "affected",
"version": "2.60.0",
"versionType": "custom"
},
{
"lessThan": "2.61.1",
"status": "affected",
"version": "2.61.0",
"versionType": "custom"
},
{
"lessThan": "2.62.1",
"status": "affected",
"version": "2.62.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:42:37.629006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T15:44:42.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.62.1"
},
{
"status": "affected",
"version": "\u003e= 2.61.0, \u003c 2.61.1"
},
{
"status": "affected",
"version": "\u003e= 2.60.0, \u003c 2.60.2"
},
{
"status": "affected",
"version": "\u003e= 2.59.0, \u003c 2.59.3"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.5"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.6"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.8"
},
{
"status": "affected",
"version": "\u003c 2.54.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. ZITADEL\u0027s user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T23:11:48.256Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5"
}
],
"source": {
"advisory": "GHSA-2w5j-qfvw-2hf5",
"discovery": "UNKNOWN"
},
"title": "User Grant Deactivation not Working in Zitadel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-46999",
"datePublished": "2024-09-19T23:11:48.256Z",
"dateReserved": "2024-09-16T16:10:09.022Z",
"dateUpdated": "2024-09-20T15:44:42.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49753 (GCVE-0-2024-49753)
Vulnerability from cvelistv5
Published
2024-10-25 14:11
Modified
2024-10-25 16:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.64.1",
"status": "affected",
"version": "2.64",
"versionType": "custom"
},
{
"lessThan": "2.63.6",
"status": "affected",
"version": "2.63",
"versionType": "custom"
},
{
"lessThan": "2.62.8",
"status": "affected",
"version": "2.62",
"versionType": "custom"
},
{
"lessThan": "2.61.4",
"status": "affected",
"version": "2.61",
"versionType": "custom"
},
{
"lessThan": "2.60.4",
"status": "affected",
"version": "2.60",
"versionType": "custom"
},
{
"lessThan": "2.59.5",
"status": "affected",
"version": "2.59",
"versionType": "custom"
},
{
"lessThan": "2.58.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T15:04:29.564973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T16:17:38.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.64, \u003c 2.64.1"
},
{
"status": "affected",
"version": "\u003e= 2.63, \u003c 2.63.6"
},
{
"status": "affected",
"version": "\u003e= 2.62, \u003c 2.62.8"
},
{
"status": "affected",
"version": "\u003e= 2.61, \u003c 2.61.4"
},
{
"status": "affected",
"version": "\u003e= 2.60, \u003c 2.60.4"
},
{
"status": "affected",
"version": "\u003e= 2.59, \u003c 2.59.5"
},
{
"status": "affected",
"version": "\u003c 2.58.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:11:44.092Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.58.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.58.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.59.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.59.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.60.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.60.4"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.61.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.61.4"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.62.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.62.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.63.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.6"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.64.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.1"
}
],
"source": {
"advisory": "GHSA-6cf5-w9h3-4rqv",
"discovery": "UNKNOWN"
},
"title": "Denied Host Validation Bypass in Zitadel Actions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49753",
"datePublished": "2024-10-25T14:11:44.092Z",
"dateReserved": "2024-10-18T13:43:23.451Z",
"dateUpdated": "2024-10-25T16:17:38.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29891 (GCVE-0-2024-29891)
Vulnerability from cvelistv5
Published
2024-03-27 19:18
Modified
2024-08-02 01:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:36:06.675259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:38.082Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.42.17"
},
{
"status": "affected",
"version": "\u003e= 2.43.0, \u003c 2.43.11"
},
{
"status": "affected",
"version": "\u003e= 2.44.0, \u003c 2.44.7"
},
{
"status": "affected",
"version": "\u003e= 2.45.0, \u003c 2.45.5"
},
{
"status": "affected",
"version": "\u003e= 2.46.0, \u003c 2.46.5"
},
{
"status": "affected",
"version": "\u003e= 2.47.0, \u003c 2.47.8"
},
{
"status": "affected",
"version": "\u003e= 2.48.0, \u003c 2.48.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim\u0027s account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-27T19:18:08.078Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
}
],
"source": {
"advisory": "GHSA-hr5w-cwwq-2v4m",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29891",
"datePublished": "2024-03-27T19:18:08.078Z",
"dateReserved": "2024-03-21T15:12:08.998Z",
"dateUpdated": "2024-08-02T01:17:58.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41952 (GCVE-0-2024-41952)
Vulnerability from cvelistv5
Published
2024-07-31 16:30
Modified
2024-07-31 17:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-203 - Observable Discrepancy
Summary
Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an account exist within ZITADEL, since the error message shows "object not found" instead of the generic error message. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, and 2.53.9.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.53.9",
"status": "affected",
"version": "2.53.0",
"versionType": "custom"
},
{
"lessThan": "2.54.8",
"status": "affected",
"version": "2.54.0",
"versionType": "custom"
},
{
"lessThan": "2.55.5",
"status": "affected",
"version": "2.55.0",
"versionType": "custom"
},
{
"lessThan": "2.56.2",
"status": "affected",
"version": "2.56.0",
"versionType": "custom"
},
{
"lessThan": "2.57.1",
"status": "affected",
"version": "2.57.0",
"versionType": "custom"
},
{
"lessThan": "2.58.1",
"status": "affected",
"version": "2.58.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T17:32:41.126563Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T17:36:34.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.53.0, \u003c 2.53.9"
},
{
"status": "affected",
"version": "\u003e= 2.54.0, \u003c 2.54.8"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.2"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.1"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called \"Ignoring unknown usernames\" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn\u0027t exist and report \"Username or Password invalid\". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an account exist within ZITADEL, since the error message shows \"object not found\" instead of the generic error message. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, and 2.53.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203: Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T16:36:07.448Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-567v-6hmg-6qg7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-567v-6hmg-6qg7"
},
{
"name": "https://github.com/zitadel/zitadel/commit/0ab0c645ef914298c343fa39cccb1290aba48bf6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/0ab0c645ef914298c343fa39cccb1290aba48bf6"
},
{
"name": "https://github.com/zitadel/zitadel/commit/3c7d12834e32426416235b9e3374be0f4b9380b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/3c7d12834e32426416235b9e3374be0f4b9380b8"
},
{
"name": "https://github.com/zitadel/zitadel/commit/5c2526c98aafd1ba206be2fa4291b1d24c384f6d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/5c2526c98aafd1ba206be2fa4291b1d24c384f6d"
},
{
"name": "https://github.com/zitadel/zitadel/commit/8565d24fd8df5bd35294313cfbfcc2e15aea20e9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/8565d24fd8df5bd35294313cfbfcc2e15aea20e9"
},
{
"name": "https://github.com/zitadel/zitadel/commit/b0e71a81ef39667ce2a149ce037c1ca0edbe059d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/b0e71a81ef39667ce2a149ce037c1ca0edbe059d"
},
{
"name": "https://github.com/zitadel/zitadel/commit/fc1d415b8db5b8d481bb65206ce3fc944c0eecea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/fc1d415b8db5b8d481bb65206ce3fc944c0eecea"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.53.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.54.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.55.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.56.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.56.2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.57.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.57.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.58.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.58.1"
}
],
"source": {
"advisory": "GHSA-567v-6hmg-6qg7",
"discovery": "UNKNOWN"
},
"title": "Zitadel has an \"Ignoring unknown usernames\" vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41952",
"datePublished": "2024-07-31T16:30:22.811Z",
"dateReserved": "2024-07-24T16:51:40.949Z",
"dateUpdated": "2024-07-31T17:36:34.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53895 (GCVE-0-2025-53895)
Vulnerability from cvelistv5
Published
2025-07-15 16:39
Modified
2025-07-15 17:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T17:19:18.220867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T17:19:29.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "= 4.0.0-rc.1"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.1"
},
{
"status": "affected",
"version": "\u003e= 2.53.0, \u003c 2.70.14"
},
{
"status": "affected",
"version": "\u003e= 2.71.0, \u003c 2.71.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL\u0027s session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T16:39:00.635Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6c5p-6www-pcmr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6c5p-6www-pcmr"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.70.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.14"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.13"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v3.3.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v3.3.2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v4.0.0-rc.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v4.0.0-rc.2"
}
],
"source": {
"advisory": "GHSA-6c5p-6www-pcmr",
"discovery": "UNKNOWN"
},
"title": "ZITADEL has broken authN and authZ in session API and resulting session tokens"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53895",
"datePublished": "2025-07-15T16:39:00.635Z",
"dateReserved": "2025-07-11T19:05:23.825Z",
"dateUpdated": "2025-07-15T17:19:29.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29892 (GCVE-0-2024-29892)
Vulnerability from cvelistv5
Published
2024-03-27 19:59
Modified
2024-08-13 14:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.42.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.43.11",
"status": "affected",
"version": "2.43.0",
"versionType": "custom"
},
{
"lessThan": "2.44.7",
"status": "affected",
"version": "2.44.0",
"versionType": "custom"
},
{
"lessThan": "2.45.5",
"status": "affected",
"version": "2.45.0",
"versionType": "custom"
},
{
"lessThan": "2.46.5",
"status": "affected",
"version": "2.46.0",
"versionType": "custom"
},
{
"lessThan": "2.47.8",
"status": "affected",
"version": "2.47.0",
"versionType": "custom"
},
{
"lessThan": "2.48.3",
"status": "affected",
"version": "2.48.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:21:49.100701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T14:07:12.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.42.17"
},
{
"status": "affected",
"version": "\u003e= 2.43.0, \u003c 2.43.11"
},
{
"status": "affected",
"version": "\u003e= 2.44.0, \u003c 2.44.7"
},
{
"status": "affected",
"version": "\u003e= 2.45.0, \u003c 2.45.5"
},
{
"status": "affected",
"version": "\u003e= 2.46.0, \u003c 2.46.5"
},
{
"status": "affected",
"version": "\u003e= 2.47.0, \u003c 2.47.8"
},
{
"status": "affected",
"version": "\u003e= 2.48.0, \u003c 2.48.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-27T19:59:24.734Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
}
],
"source": {
"advisory": "GHSA-gp8g-f42f-95q2",
"discovery": "UNKNOWN"
},
"title": "ZITADEL\u0027s actions can overload reserved claims"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29892",
"datePublished": "2024-03-27T19:59:24.734Z",
"dateReserved": "2024-03-21T15:12:08.998Z",
"dateUpdated": "2024-08-13T14:07:12.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31124 (GCVE-0-2025-31124)
Vulnerability from cvelistv5
Published
2025-03-31 19:38
Modified
2025-03-31 22:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". While the setting was correctly respected during the login flow, the user's username was normalized leading to a disclosure of the user's existence. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zitadel | zitadel |
Version: >= 2.62.0, < 2.63.9 Version: >= 2.64.0-rc.1, < 2.64.6 Version: >= 2.65.0-rc.1, < 2.65.7 Version: >= 2.66.0-rc.1, < 2.66.16 Version: >= 2.67.0-rc.1, < 2.67.13 Version: >= 2.68.0-rc.1, < 2.68.9 Version: >= 2.69.0-rc.1, < 2.69.9 Version: >= 2.70.0-rc.1, < 2.70.8 Version: >= 2.71.0-rc.1, < 2.71.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T22:26:27.377115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T22:26:39.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.63.9"
},
{
"status": "affected",
"version": "\u003e= 2.64.0-rc.1, \u003c 2.64.6"
},
{
"status": "affected",
"version": "\u003e= 2.65.0-rc.1, \u003c 2.65.7"
},
{
"status": "affected",
"version": "\u003e= 2.66.0-rc.1, \u003c 2.66.16"
},
{
"status": "affected",
"version": "\u003e= 2.67.0-rc.1, \u003c 2.67.13"
},
{
"status": "affected",
"version": "\u003e= 2.68.0-rc.1, \u003c 2.68.9"
},
{
"status": "affected",
"version": "\u003e= 2.69.0-rc.1, \u003c 2.69.9"
},
{
"status": "affected",
"version": "\u003e= 2.70.0-rc.1, \u003c 2.70.8"
},
{
"status": "affected",
"version": "\u003e= 2.71.0-rc.1, \u003c 2.71.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called \"Ignoring unknown usernames\" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn\u0027t exist and report \"Username or Password invalid\". While the setting was correctly respected during the login flow, the user\u0027s username was normalized leading to a disclosure of the user\u0027s existence. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203: Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T19:38:12.235Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-67m4-8g4w-633q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-67m4-8g4w-633q"
},
{
"name": "https://github.com/zitadel/zitadel/commit/14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.63.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.64.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.6"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.65.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.65.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.66.16",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.66.16"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.67.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.67.13"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.68.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.68.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.69.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.69.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.70.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.6"
}
],
"source": {
"advisory": "GHSA-67m4-8g4w-633q",
"discovery": "UNKNOWN"
},
"title": "Zitadel allows User Enumeration by loginname attribute normalization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31124",
"datePublished": "2025-03-31T19:38:12.235Z",
"dateReserved": "2025-03-26T15:04:52.626Z",
"dateUpdated": "2025-03-31T22:26:39.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31123 (GCVE-0-2025-31123)
Vulnerability from cvelistv5
Published
2025-03-31 19:31
Modified
2025-03-31 22:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-324 - Use of a Key Past its Expiration Date
Summary
Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens. This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zitadel | zitadel |
Version: >= 2.62.0, < 2.63.9 Version: >= 2.64.0-rc.1, < 2.64.6 Version: >= 2.65.0-rc.1, < 2.65.7 Version: >= 2.66.0-rc.1, < 2.66.16 Version: >= 2.67.0-rc.1, < 2.67.13 Version: >= 2.68.0-rc.1, < 2.68.9 Version: >= 2.69.0-rc.1, < 2.69.9 Version: >= 2.70.0-rc.1, < 2.70.8 Version: >= 2.71.0-rc.1, < 2.71.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31123",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T22:38:16.728894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T22:38:38.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.63.9"
},
{
"status": "affected",
"version": "\u003e= 2.64.0-rc.1, \u003c 2.64.6"
},
{
"status": "affected",
"version": "\u003e= 2.65.0-rc.1, \u003c 2.65.7"
},
{
"status": "affected",
"version": "\u003e= 2.66.0-rc.1, \u003c 2.66.16"
},
{
"status": "affected",
"version": "\u003e= 2.67.0-rc.1, \u003c 2.67.13"
},
{
"status": "affected",
"version": "\u003e= 2.68.0-rc.1, \u003c 2.68.9"
},
{
"status": "affected",
"version": "\u003e= 2.69.0-rc.1, \u003c 2.69.9"
},
{
"status": "affected",
"version": "\u003e= 2.70.0-rc.1, \u003c 2.70.8"
},
{
"status": "affected",
"version": "\u003e= 2.71.0-rc.1, \u003c 2.71.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens. This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "CWE-324: Use of a Key Past its Expiration Date",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T19:31:40.507Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-h3q7-347g-qwhf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-h3q7-347g-qwhf"
},
{
"name": "https://github.com/zitadel/zitadel/commit/315503beabd679f2e6aec0c004f0f9d2f5b53ed3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/315503beabd679f2e6aec0c004f0f9d2f5b53ed3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.63.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.64.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.6"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.65.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.65.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.66.16",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.66.16"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.67.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.67.13"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.68.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.68.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.69.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.69.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.70.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.6"
}
],
"source": {
"advisory": "GHSA-h3q7-347g-qwhf",
"discovery": "UNKNOWN"
},
"title": "Zitadel Expired JWT Keys Usable for Authorization Grants"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31123",
"datePublished": "2025-03-31T19:31:40.507Z",
"dateReserved": "2025-03-26T15:04:52.626Z",
"dateUpdated": "2025-03-31T22:38:38.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32868 (GCVE-0-2024-32868)
Vulnerability from cvelistv5
Published
2024-04-25 23:53
Modified
2024-08-05 16:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T16:53:50.442182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T16:54:00.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.50.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-297",
"description": "CWE-297: Improper Validation of Certificate with Host Mismatch",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-25T23:53:37.235Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0"
}
],
"source": {
"advisory": "GHSA-7j7j-66cv-m239",
"discovery": "UNKNOWN"
},
"title": "ZITADEL\u0027s Improper Lockout Mechanism Leads to MFA Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32868",
"datePublished": "2024-04-25T23:53:37.235Z",
"dateReserved": "2024-04-19T14:07:11.229Z",
"dateUpdated": "2024-08-05T16:54:00.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-09-20 00:15
Modified
2024-09-24 20:20
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5 | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B57963B2-68B5-4E7C-97B7-64304BB64F6C",
"versionEndExcluding": "2.54.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD559AF6-7A21-405F-A421-B801F37B9B3C",
"versionEndExcluding": "2.55.8",
"versionStartIncluding": "2.55.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "04A51D71-DC37-4443-AFD4-5C1DACBD9026",
"versionEndExcluding": "2.56.6",
"versionStartIncluding": "2.56.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A379F08-C3D5-4C5F-8799-AC2E9097A655",
"versionEndExcluding": "2.57.5",
"versionStartIncluding": "2.57.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "095B9185-EB6C-4601-95AC-C1F8CE4CF757",
"versionEndExcluding": "2.58.5",
"versionStartIncluding": "2.58.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "790DC952-225B-4AAA-873C-EACDE249982B",
"versionEndExcluding": "2.59.3",
"versionStartIncluding": "2.59.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "89E084F5-D132-4244-8E7C-4E26E033A636",
"versionEndExcluding": "2.60.2",
"versionStartIncluding": "2.60.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.61.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ED36FAD4-DAB7-41FE-8C14-119B24E2CCCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.62.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D15D8180-D356-4933-8390-19B2DCE2D89F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. ZITADEL\u0027s user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore."
},
{
"lang": "es",
"value": "Zitadel es una plataforma de gesti\u00f3n de identidad de c\u00f3digo abierto. El mecanismo de desactivaci\u00f3n de concesiones de usuario de ZITADEL no funcionaba correctamente. Las concesiones de usuario desactivadas se segu\u00edan proporcionando en token, lo que pod\u00eda provocar un acceso no autorizado a aplicaciones y recursos. Adem\u00e1s, la API de gesti\u00f3n y autenticaci\u00f3n siempre devolv\u00eda el estado como activo o no proporcionaba ninguna informaci\u00f3n sobre el estado. Se han publicado las versiones 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8 y 2.54.10 que solucionan este problema. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar pueden eliminar expl\u00edcitamente las concesiones de usuario para asegurarse de que el usuario ya no obtenga acceso."
}
],
"id": "CVE-2024-46999",
"lastModified": "2024-09-24T20:20:39.253",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-20T00:15:03.350",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-18 22:15
Modified
2025-01-08 18:14
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.41.15 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.42.15 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.43.9 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.44.3 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.45.1 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.46.1 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.47.3 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.41.15 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.42.15 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.43.9 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.44.3 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.45.1 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.46.1 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.47.3 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FFD391D1-3498-46AB-B74F-5EAB21A2E33C",
"versionEndExcluding": "2.41.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A9A5738D-E435-4BC1-8B95-50C8DCE2A82C",
"versionEndExcluding": "2.42.15",
"versionStartIncluding": "2.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A5FC2D7-DF8A-48ED-98B3-48B85DD5FE18",
"versionEndExcluding": "2.43.9",
"versionStartIncluding": "2.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44939A24-65F7-4D03-805E-585F2AEC7A31",
"versionEndExcluding": "2.44.3",
"versionStartIncluding": "2.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "345DE50B-483E-4B0F-A391-E68BEF04AF2E",
"versionEndExcluding": "2.47.4",
"versionStartIncluding": "2.47.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.45.0:-:*:*:*:*:*:*",
"matchCriteriaId": "CDF0C992-982C-4963-BFE4-1592B681D69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.45.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "BDA3827B-80DF-4A2A-A103-97FE37352090",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.46.0:-:*:*:*:*:*:*",
"matchCriteriaId": "B3FE712E-6B93-4374-A2A8-8A6C51007F1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.46.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CCEA9592-45E4-4C4A-906F-62732495B2D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.46.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D5C0396B-7FFB-4700-BBFF-AC7D2748B00A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available."
},
{
"lang": "es",
"value": "ZITADEL, software de gesti\u00f3n de autenticaci\u00f3n de c\u00f3digo abierto, utiliza plantillas Go para representar la interfaz de usuario de inicio de sesi\u00f3n. Debido a un uso inadecuado del paquete `text/template` en lugar del paquete `html/template`, la interfaz de usuario de inicio de sesi\u00f3n no sanitiz\u00f3 los par\u00e1metros de entrada antes de las versiones 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43. .9, 2.42.15 y 2.41.15. Un atacante podr\u00eda crear un enlace malicioso, donde inyectar\u00eda un c\u00f3digo que se mostrar\u00eda como parte de la pantalla de inicio de sesi\u00f3n. Si bien era posible inyectar HTML, incluido JavaScript, la Pol\u00edtica de seguridad de contenido impedir\u00eda la ejecuci\u00f3n de dichos scripts. Las versiones 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15 y 2.41.15 contienen un parche para este problema. No hay workarounds conocidos disponibles."
}
],
"id": "CVE-2024-28855",
"lastModified": "2025-01-08T18:14:28.137",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-18T22:15:08.963",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.41.15"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.15"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.41.15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-31 17:15
Modified
2025-01-08 18:27
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an account exist within ZITADEL, since the error message shows "object not found" instead of the generic error message. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, and 2.53.9.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/0ab0c645ef914298c343fa39cccb1290aba48bf6 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/3c7d12834e32426416235b9e3374be0f4b9380b8 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/5c2526c98aafd1ba206be2fa4291b1d24c384f6d | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/8565d24fd8df5bd35294313cfbfcc2e15aea20e9 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/b0e71a81ef39667ce2a149ce037c1ca0edbe059d | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/fc1d415b8db5b8d481bb65206ce3fc944c0eecea | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.53.9 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.54.8 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.55.5 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.56.2 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.57.1 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.58.1 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-567v-6hmg-6qg7 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0FEB64E1-AA7A-44A6-97EA-D82646DA5D07",
"versionEndExcluding": "2.53.9",
"versionStartIncluding": "2.53.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F42BFC4E-33C3-48F0-9CAB-72D2EEFEF163",
"versionEndExcluding": "2.54.8",
"versionStartIncluding": "2.54.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C81EA150-B7C8-4682-9D33-B04DB4075205",
"versionEndExcluding": "2.55.5",
"versionStartIncluding": "2.55.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7675309A-22D1-4A64-9CB6-F36A496C421F",
"versionEndExcluding": "2.56.2",
"versionStartIncluding": "2.56.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.57.0:-:*:*:*:*:*:*",
"matchCriteriaId": "CAA9A765-F2B2-46B8-BEA8-F9CEA81BEFA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.57.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4863B756-9DE4-4171-8035-E6965D55D578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.57.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "C2FEB539-0344-44F4-9595-9C35033FBF14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.58.0:*:*:*:*:*:*:*",
"matchCriteriaId": "02DB4060-6B1F-4FDB-9B50-6C47B613B8B1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called \"Ignoring unknown usernames\" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn\u0027t exist and report \"Username or Password invalid\". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an account exist within ZITADEL, since the error message shows \"object not found\" instead of the generic error message. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, and 2.53.9."
},
{
"lang": "es",
"value": "Zitadel es un sistema de gesti\u00f3n de identidades de c\u00f3digo abierto. Los administradores de ZITADEL pueden habilitar una configuraci\u00f3n llamada \"Ignoring unknown usernames\" que ayuda a mitigar los ataques que intentan adivinar/enumerar nombres de usuario. Si est\u00e1 habilitado, ZITADEL mostrar\u00e1 la solicitud de contrase\u00f1a incluso si el usuario no existe e informar\u00e1 \"Username or Password invalid\". Debido a un cambio de implementaci\u00f3n para evitar interbloqueos al llamar a la base de datos, el flag no se respetar\u00eda correctamente en todos los casos y un atacante obtendr\u00eda informaci\u00f3n si existe una cuenta dentro de ZITADEL, ya que el mensaje de error muestra \"object not found\" en lugar del error gen\u00e9rico. mensaje. Esta vulnerabilidad se solucion\u00f3 en 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8 y 2.53.9."
}
],
"id": "CVE-2024-41952",
"lastModified": "2025-01-08T18:27:21.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-31T17:15:10.597",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/0ab0c645ef914298c343fa39cccb1290aba48bf6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/3c7d12834e32426416235b9e3374be0f4b9380b8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/5c2526c98aafd1ba206be2fa4291b1d24c384f6d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/8565d24fd8df5bd35294313cfbfcc2e15aea20e9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/b0e71a81ef39667ce2a149ce037c1ca0edbe059d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/fc1d415b8db5b8d481bb65206ce3fc944c0eecea"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.56.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.57.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.58.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-567v-6hmg-6qg7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-27 20:15
Modified
2025-01-08 18:16
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Summary
ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.42.17 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.43.11 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.44.7 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.45.5 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.46.5 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.47.8 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.48.3 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.42.17 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.43.11 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.44.7 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.45.5 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.46.5 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.47.8 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.48.3 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "220712AC-B9A7-4C02-972F-F69A3C93EA5C",
"versionEndExcluding": "2.42.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E63D00B9-2C3C-48BA-9C87-DA3B3895DDCB",
"versionEndExcluding": "2.43.11",
"versionStartIncluding": "2.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B72E7A77-7537-4872-8038-A92E68A1451B",
"versionEndExcluding": "2.44.7",
"versionStartIncluding": "2.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A0B9428D-76F8-4121-809B-AEC937D6419A",
"versionEndExcluding": "2.45.5",
"versionStartIncluding": "2.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5829B90F-DCE0-44DB-AC75-9BC923774CD7",
"versionEndExcluding": "2.46.5",
"versionStartIncluding": "2.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C29110B-3ADA-4388-A9AF-773574F03094",
"versionEndExcluding": "2.47.8",
"versionStartIncluding": "2.47.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63C71265-8561-48A6-9D9F-1A94A89A64D8",
"versionEndExcluding": "2.48.3",
"versionStartIncluding": "2.48.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim\u0027s account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17."
},
{
"lang": "es",
"value": "Los usuarios de ZITADEL pueden cargar su propia imagen de avatar y se permiten varios tipos de im\u00e1genes. Debido a la falta de un cheque, un atacante podr\u00eda cargar HTML y pretender que es una imagen para obtener acceso a la cuenta de la v\u00edctima en ciertos escenarios. Una posible v\u00edctima necesitar\u00eda abrir directamente la supuesta imagen en el navegador, donde debe haber una sesi\u00f3n activa en ZITADEL para que este exploit funcione. El exploit s\u00f3lo podr\u00eda reproducirse si la v\u00edctima estuviera usando Firefox. Chrome, Safari y Edge no ejecutaron el c\u00f3digo. Esta vulnerabilidad se solucion\u00f3 en 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11 y 2.42.17."
}
],
"id": "CVE-2024-29891",
"lastModified": "2025-01-08T18:16:59.630",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-27T20:15:07.780",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-08 22:15
Modified
2024-11-21 08:29
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum. Exceeding the limit, will lock the user and prevent further authentication. In the affected implementation it was possible for an attacker to start multiple parallel password checks, giving him the possibility to try out more combinations than configured in the `Lockout Policy`. This vulnerability has been patched in versions 2.40.5 and 2.38.3.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.38.3 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.40.5 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.38.3 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.40.5 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF7331E5-9891-4D72-B9D1-71620A21A006",
"versionEndExcluding": "2.38.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8EA4342D-C972-4980-8E06-4F19EA76E69E",
"versionEndExcluding": "2.40.5",
"versionStartIncluding": "2.39.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum. Exceeding the limit, will lock the user and prevent further authentication. In the affected implementation it was possible for an attacker to start multiple parallel password checks, giving him the possibility to try out more combinations than configured in the `Lockout Policy`. This vulnerability has been patched in versions 2.40.5 and 2.38.3.\n"
},
{
"lang": "es",
"value": "ZITADEL proporciona infraestructura de identidad. ZITADEL brinda a los administradores la posibilidad de definir una \"Pol\u00edtica de bloqueo\" con una cantidad m\u00e1xima de intentos fallidos de verificaci\u00f3n de contrase\u00f1a. En cada verificaci\u00f3n de contrase\u00f1a fallida, la cantidad de comprobaciones fallidas se compara con el m\u00e1ximo configurado. Exceder el l\u00edmite bloquear\u00e1 al usuario y evitar\u00e1 una mayor autenticaci\u00f3n. En la implementaci\u00f3n afectada, un atacante pod\u00eda iniciar m\u00faltiples comprobaciones de contrase\u00f1as en paralelo, d\u00e1ndole la posibilidad de probar m\u00e1s combinaciones de las configuradas en la \"Pol\u00edtica de bloqueo\". Esta vulnerabilidad ha sido parcheada en las versiones 2.40.5 y 2.38.3."
}
],
"id": "CVE-2023-47111",
"lastModified": "2024-11-21T08:29:48.000",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-08T22:15:10.657",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.40.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.40.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-11 20:15
Modified
2025-01-07 15:54
Severity ?
7.5 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
7.5 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
7.5 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Summary
Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim’s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr | Mitigation, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A896302F-4289-419A-882F-8E4207B611A2",
"versionEndExcluding": "2.44.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.45.0:-:*:*:*:*:*:*",
"matchCriteriaId": "CDF0C992-982C-4963-BFE4-1592B681D69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.45.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "BDA3827B-80DF-4A2A-A103-97FE37352090",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.46.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CCEA9592-45E4-4C4A-906F-62732495B2D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.46.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D5C0396B-7FFB-4700-BBFF-AC7D2748B00A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim\u2019s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`."
},
{
"lang": "es",
"value": "Zitadel es un sistema de gesti\u00f3n de identidades de c\u00f3digo abierto. Zitadel utiliza una cookie para identificar el agente de usuario (navegador) y sus sesiones de usuario. Aunque la cookie se manej\u00f3 de acuerdo con las mejores pr\u00e1cticas, era accesible en los subdominios de la instancia ZITADEL. Un atacante podr\u00eda aprovechar esto y proporcionar un enlace malicioso alojado en el subdominio al usuario para obtener acceso a la cuenta de la v\u00edctima en ciertos escenarios. Una posible v\u00edctima tendr\u00eda que iniciar sesi\u00f3n a trav\u00e9s del enlace malicioso para que este exploit funcione. Si la posible v\u00edctima ya tuviera presente la cookie, el ataque no tendr\u00eda \u00e9xito. Adem\u00e1s, el ataque solo ser\u00eda posible si hubiera una vulnerabilidad inicial en el subdominio. Esto podr\u00eda ser que el atacante pueda controlar DNS o una vulnerabilidad XSS en una aplicaci\u00f3n alojada en un subdominio. Se han parcheado las versiones 2.46.0, 2.45.1 y 2.44.3. Zitadel recomienda actualizar a las \u00faltimas versiones disponibles oportunamente. Tenga en cuenta que la aplicaci\u00f3n del parche invalidar\u00e1 la cookie actual y, por lo tanto, los usuarios deber\u00e1n iniciar una nueva sesi\u00f3n y las sesiones existentes (selecci\u00f3n de usuario) estar\u00e1n vac\u00edas. Para entornos autohospedados que no pueden actualizar a una versi\u00f3n parcheada, evite configurar el siguiente nombre de cookie en los subdominios de su instancia de Zitadel (por ejemplo, dentro de su WAF): `__Secure-zitadel-useragent`."
}
],
"id": "CVE-2024-28197",
"lastModified": "2025-01-07T15:54:40.987",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-11T20:15:07.420",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-31 23:15
Modified
2024-11-21 07:12
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v1.87.1 | Third Party Advisory | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.2.0 | Patch, Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v1.87.1 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.2.0 | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "21639E9B-F9C6-4154-A621-5EB699AA2F2F",
"versionEndExcluding": "1.87.1",
"versionStartIncluding": "1.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74BEE341-A883-47DE-A2B1-E62F55AFCC90",
"versionEndExcluding": "2.2.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update."
},
{
"lang": "es",
"value": "ZITADEL combina la facilidad de Auth0 y la versatilidad de Keycloak.**Acciones**, introducido en ZITADEL versi\u00f3n **1.42.0** en la API y versi\u00f3n **1.56.0** para la Consola, es una caracter\u00edstica, donde los usuarios con rol.\"ORG_OWNER\" son capaces de crear C\u00f3digo Javascript, que es invocado por el sistema en ciertos puntos durante el login. Las **Acciones**, por ejemplo, permiten crear autorizaciones (subvenciones a usuarios) en usuarios reci\u00e9n creados de forma program\u00e1tica. Debido a una falta de comprobaci\u00f3n de autorizaciones, las **Actions** pod\u00edan conceder autorizaciones a proyectos que pertenec\u00edan a otras organizaciones dentro de la misma Instancia. La concesi\u00f3n de autorizaciones por medio de la API y la consola no est\u00e1 afectada por esta vulnerabilidad. Actualmente no se presenta una mitigaci\u00f3n conocida, los usuarios deben actualizar"
}
],
"id": "CVE-2022-36051",
"lastModified": "2024-11-21T07:12:16.227",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-31T23:15:08.097",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-436"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-31 17:15
Modified
2025-01-08 18:29
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker, without privileges, could send out altered notifications that are part of the registration processes. An attacker could create a malicious link, where the injected code would be rendered as part of the email. On the user's detail page, the username was also not sanitized and would also render HTML, giving an attacker the same vulnerability. While it was possible to inject HTML including javascript, the execution of such scripts would be prevented by most email clients and the Content Security Policy in Console UI. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8 2.53.9, and 2.52.3.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/0e1f99e987b5851caec45a72660fe9f67e425747 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/38da602ee1cfc35c0d7918c298fbfc3f3674133b | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/4b59cac67bb89c1f3f84a2041dd273d11151d29f | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/c1a3fc72dde16e987d8a09aa291e7c2edfc928f7 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/c353f82f89c6982c0888c6763363296cf4263cb2 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/d04ac6df8f2f0243e649b802a8bfa6176cef0923 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/f846616a3f022e88e3ea8cea05d3254ad86f1615 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.52.3 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.53.9 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.54.8 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.55.5 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.56.2 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.57.1 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.58.1 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-v333-7h2p-5fhv | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5175425-BCED-488C-8786-E093C1D5E561",
"versionEndExcluding": "2.52.3",
"versionStartIncluding": "2.52.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0FEB64E1-AA7A-44A6-97EA-D82646DA5D07",
"versionEndExcluding": "2.53.9",
"versionStartIncluding": "2.53.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F42BFC4E-33C3-48F0-9CAB-72D2EEFEF163",
"versionEndExcluding": "2.54.8",
"versionStartIncluding": "2.54.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C81EA150-B7C8-4682-9D33-B04DB4075205",
"versionEndExcluding": "2.55.5",
"versionStartIncluding": "2.55.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7675309A-22D1-4A64-9CB6-F36A496C421F",
"versionEndExcluding": "2.56.2",
"versionStartIncluding": "2.56.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.57.0:-:*:*:*:*:*:*",
"matchCriteriaId": "CAA9A765-F2B2-46B8-BEA8-F9CEA81BEFA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.57.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4863B756-9DE4-4171-8035-E6965D55D578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.57.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "C2FEB539-0344-44F4-9595-9C35033FBF14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.58.0:*:*:*:*:*:*:*",
"matchCriteriaId": "02DB4060-6B1F-4FDB-9B50-6C47B613B8B1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker, without privileges, could send out altered notifications that are part of the registration processes. An attacker could create a malicious link, where the injected code would be rendered as part of the email. On the user\u0027s detail page, the username was also not sanitized and would also render HTML, giving an attacker the same vulnerability. While it was possible to inject HTML including javascript, the execution of such scripts would be prevented by most email clients and the Content Security Policy in Console UI. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8 2.53.9, and 2.52.3."
},
{
"lang": "es",
"value": "Zitadel es un sistema de gesti\u00f3n de identidades de c\u00f3digo abierto. ZITADEL utiliza HTML para los correos electr\u00f3nicos y muestra cierta informaci\u00f3n, como los nombres de usuario, de forma din\u00e1mica. Esa informaci\u00f3n puede ser ingresada por usuarios o administradores. Debido a la falta de sanitizaci\u00f3n de la salida, estos correos electr\u00f3nicos podr\u00edan incluir c\u00f3digo malicioso. Esto puede generar potencialmente una amenaza en la que un atacante, sin privilegios, podr\u00eda enviar notificaciones alteradas que forman parte de los procesos de registro. Un atacante podr\u00eda crear un enlace malicioso, donde el c\u00f3digo inyectado se presentar\u00eda como parte del correo electr\u00f3nico. En la p\u00e1gina de detalles del usuario, el nombre de usuario tampoco estaba sanitizado y tambi\u00e9n representaba HTML, lo que le daba al atacante la misma vulnerabilidad. Si bien era posible inyectar HTML, incluido JavaScript, la mayor\u00eda de los clientes de correo electr\u00f3nico y la Pol\u00edtica de seguridad de contenido en la interfaz de usuario de la consola impedir\u00edan la ejecuci\u00f3n de dichos scripts. Esta vulnerabilidad se solucion\u00f3 en 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8 2.53.9 y 2.52.3."
}
],
"id": "CVE-2024-41953",
"lastModified": "2025-01-08T18:29:25.370",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-31T17:15:10.850",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/0e1f99e987b5851caec45a72660fe9f67e425747"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/38da602ee1cfc35c0d7918c298fbfc3f3674133b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/4b59cac67bb89c1f3f84a2041dd273d11151d29f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/c1a3fc72dde16e987d8a09aa291e7c2edfc928f7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/c353f82f89c6982c0888c6763363296cf4263cb2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/d04ac6df8f2f0243e649b802a8bfa6176cef0923"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/f846616a3f022e88e3ea8cea05d3254ad86f1615"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.52.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.56.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.57.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.58.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v333-7h2p-5fhv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-20 00:15
Modified
2024-09-25 16:43
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8 | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B57963B2-68B5-4E7C-97B7-64304BB64F6C",
"versionEndExcluding": "2.54.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD559AF6-7A21-405F-A421-B801F37B9B3C",
"versionEndExcluding": "2.55.8",
"versionStartIncluding": "2.55.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "04A51D71-DC37-4443-AFD4-5C1DACBD9026",
"versionEndExcluding": "2.56.6",
"versionStartIncluding": "2.56.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A379F08-C3D5-4C5F-8799-AC2E9097A655",
"versionEndExcluding": "2.57.5",
"versionStartIncluding": "2.57.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "095B9185-EB6C-4601-95AC-C1F8CE4CF757",
"versionEndExcluding": "2.58.5",
"versionStartIncluding": "2.58.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "790DC952-225B-4AAA-873C-EACDE249982B",
"versionEndExcluding": "2.59.3",
"versionStartIncluding": "2.59.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "89E084F5-D132-4244-8E7C-4E26E033A636",
"versionEndExcluding": "2.60.2",
"versionStartIncluding": "2.60.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.61.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ED36FAD4-DAB7-41FE-8C14-119B24E2CCCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.62.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D15D8180-D356-4933-8390-19B2DCE2D89F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization\u0027s lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore."
},
{
"lang": "es",
"value": "Zitadel es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. En Zitadel, incluso despu\u00e9s de que se desactiva una organizaci\u00f3n, los proyectos asociados y sus aplicaciones permanecen activos. Los usuarios de otras organizaciones a\u00fan pueden iniciar sesi\u00f3n y acceder a trav\u00e9s de estas aplicaciones, lo que genera acceso no autorizado. Adem\u00e1s, si se desactiva un proyecto, tambi\u00e9n se puede acceder a las aplicaciones. El problema surge del hecho de que cuando se desactiva una organizaci\u00f3n en Zitadel, las aplicaciones asociadas a ella no se desactivan autom\u00e1ticamente. El ciclo de vida de la aplicaci\u00f3n no est\u00e1 estrechamente vinculado con el ciclo de vida de la organizaci\u00f3n, lo que genera una situaci\u00f3n en la que la organizaci\u00f3n o el proyecto se marcan como inactivos, pero sus recursos siguen siendo accesibles. Esta vulnerabilidad permite el acceso no autorizado a los proyectos y sus recursos, que deber\u00edan haber estado restringidos despu\u00e9s de la desactivaci\u00f3n de la organizaci\u00f3n. Se han publicado las versiones 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8 y 2.54.10 que solucionan este problema. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar la versi\u00f3n pueden deshabilitar expl\u00edcitamente la aplicaci\u00f3n para asegurarse de que el cliente ya no est\u00e9 autorizado."
}
],
"id": "CVE-2024-47060",
"lastModified": "2024-09-25T16:43:47.267",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-20T00:15:03.767",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-10 17:15
Modified
2024-11-21 08:25
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.37.3 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.38.0 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.37.3 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.38.0 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "945BD332-6A49-4ACD-8E01-583EFD78B8BA",
"versionEndIncluding": "2.37.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called \"Ignoring unknown usernames\" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available."
},
{
"lang": "es",
"value": "ZITADEL proporciona infraestructura de identidad. En las versiones 2.37.2 y anteriores, los administradores de ZITADEL pueden habilitar una configuraci\u00f3n llamada \"Ignoring unknown usernames\" que ayuda a mitigar los ataques que intentan adivinar/enumerar nombres de usuario. Si bien esta configuraci\u00f3n funcion\u00f3 correctamente durante el proceso de autenticaci\u00f3n, no funcion\u00f3 correctamente en el flujo de restablecimiento de contrase\u00f1a. Esto significaba que incluso si esta funci\u00f3n estuviera activa, un atacante podr\u00eda usar la funci\u00f3n de restablecimiento de contrase\u00f1a para verificar si existe una cuenta dentro de ZITADEL. Este error se ha corregido en las versiones 2.37.3 y 2.38.0. No hay workarounds conocidos disponibles."
}
],
"id": "CVE-2023-44399",
"lastModified": "2024-11-21T08:25:49.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-10T17:15:13.107",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.37.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.37.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-640"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-05-30 07:15
Modified
2025-06-04 18:31
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. This specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This issue has been patched in versions 2.70.12, 2.71.10, and 3.2.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "85350F21-A7E3-4B1F-993F-B6B34B2E5E0F",
"versionEndExcluding": "2.70.12",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9D49934C-0B58-4751-B4A3-0D44D34D2BE3",
"versionEndExcluding": "2.71.11",
"versionStartIncluding": "2.71.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2DD58ABC-0593-4A47-AE00-C8885627A954",
"versionEndExcluding": "3.2.2",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user\u0027s password and gain unauthorized access to their account. This specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This issue has been patched in versions 2.70.12, 2.71.10, and 3.2.2."
},
{
"lang": "es",
"value": "Zitadel es un software de infraestructura de identidad de c\u00f3digo abierto. En versiones anteriores a las 2.70.12, 2.71.10 y 3.2.2, exist\u00eda una posible vulnerabilidad en el mecanismo de restablecimiento de contrase\u00f1a. ZITADEL utiliza el encabezado \"Forwarded\" o \"X-Forwarded-Host\" de las solicitudes entrantes para construir la URL del enlace de confirmaci\u00f3n de restablecimiento de contrase\u00f1a. Este enlace, que contiene un c\u00f3digo secreto, se env\u00eda por correo electr\u00f3nico al usuario. Si un atacante manipula estos encabezados (por ejemplo, mediante la inyecci\u00f3n de un encabezado de host), podr\u00eda generar un enlace de restablecimiento de contrase\u00f1a que apunta a un dominio malicioso controlado por el atacante. Si el usuario hace clic en este enlace manipulado en el correo electr\u00f3nico, el atacante puede capturar el c\u00f3digo secreto de restablecimiento incrustado en la URL. Este c\u00f3digo capturado podr\u00eda utilizarse para restablecer la contrase\u00f1a del usuario y obtener acceso no autorizado a su cuenta. Este vector de ataque espec\u00edfico se mitiga en cuentas con autenticaci\u00f3n multifactor (MFA) o autenticaci\u00f3n sin contrase\u00f1a habilitada. Este problema se ha solucionado en las versiones 2.70.12, 2.71.10 y 3.2.2."
}
],
"id": "CVE-2025-48936",
"lastModified": "2025-06-04T18:31:41.773",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-05-30T07:15:24.427",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/c097887bc5f680e12c998580fb56d98a15758f53"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-93m4-mfpg-c3xf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-26 15:15
Modified
2024-11-21 08:28
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
ZITADEL is an identity infrastructure management system. ZITADEL users can upload their own avatar image using various image types including SVG. SVG can include scripts, such as javascript, which can be executed during rendering. Due to a missing security header, an attacker could inject code to an SVG to gain access to the victim’s account in certain scenarios. A victim would need to directly open the malicious image in the browser, where a single session in ZITADEL needs to be active for this exploit to work. If the possible victim had multiple or no active sessions in ZITADEL, the attack would not succeed. This issue has been patched in version 2.39.2 and 2.38.2.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.38.2 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.39.2 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-954h-jrpm-72pm | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.38.2 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.39.2 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-954h-jrpm-72pm | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "223DDD74-92C5-4069-9422-B64A3D12EF6F",
"versionEndExcluding": "2.38.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2ED84934-B055-4AA2-A96F-168846A8F62A",
"versionEndExcluding": "2.39.2",
"versionStartIncluding": "2.39.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an identity infrastructure management system. ZITADEL users can upload their own avatar image using various image types including SVG. SVG can include scripts, such as javascript, which can be executed during rendering. Due to a missing security header, an attacker could inject code to an SVG to gain access to the victim\u2019s account in certain scenarios. A victim would need to directly open the malicious image in the browser, where a single session in ZITADEL needs to be active for this exploit to work. If the possible victim had multiple or no active sessions in ZITADEL, the attack would not succeed. This issue has been patched in version 2.39.2 and 2.38.2."
},
{
"lang": "es",
"value": "ZITADEL es un sistema de gesti\u00f3n de infraestructura de identidad. Los usuarios de ZITADEL pueden cargar su propia imagen de avatar utilizando varios tipos de im\u00e1genes, incluido SVG. SVG puede incluir scripts, como javascript, que se pueden ejecutar durante el renderizado. Debido a la falta de un encabezado de seguridad, un atacante podr\u00eda inyectar c\u00f3digo en un SVG para obtener acceso a la cuenta de la v\u00edctima en ciertos escenarios. Una v\u00edctima necesitar\u00eda abrir directamente la imagen maliciosa en el navegador, donde debe haber una \u00fanica sesi\u00f3n activa en ZITADEL para que este exploit funcione. Si la posible v\u00edctima tuviera varias sesiones activas o ninguna en ZITADEL, el ataque no tendr\u00eda \u00e9xito. Este problema se solucion\u00f3 en las versiones 2.39.2 y 2.38.2."
}
],
"id": "CVE-2023-46238",
"lastModified": "2024-11-21T08:28:08.540",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-26T15:15:09.173",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.39.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-954h-jrpm-72pm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.38.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.39.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-954h-jrpm-72pm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-30 05:15
Modified
2024-11-21 08:32
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w | Exploit, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w | Exploit, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B217DCB5-07BA-4BA3-97A2-91397DAA878D",
"versionEndExcluding": "2.39.9",
"versionStartIncluding": "2.39.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "75A6467A-C432-4810-A2D9-FBED9090ED67",
"versionEndExcluding": "2.40.10",
"versionStartIncluding": "2.40.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A14C74C2-0A2A-4F71-86D6-7CFE7911D6EB",
"versionEndExcluding": "2.41.6",
"versionStartIncluding": "2.41.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.\n"
},
{
"lang": "es",
"value": "ZITADEL es un sistema de infraestructura de identidad. ZITADEL utiliza el encabezado de solicitudes de activaci\u00f3n de notificaciones Forwarded o X-Forwarded-Host para crear el enlace del bot\u00f3n enviado en los correos electr\u00f3nicos para confirmar un restablecimiento de contrase\u00f1a con el c\u00f3digo enviado por correo electr\u00f3nico. Si este encabezado se sobrescribe y un usuario hace clic en el enlace a un sitio malicioso en el correo electr\u00f3nico, el c\u00f3digo secreto se puede recuperar y utilizar para restablecer la contrase\u00f1a del usuario y hacerse cargo de su cuenta. Este ataque no puede apoderarse de las cuentas con MFA o sin contrase\u00f1a habilitadas. Este problema se solucion\u00f3 en las versiones 2.41.6, 2.40.10 y 2.39.9."
}
],
"id": "CVE-2023-49097",
"lastModified": "2024-11-21T08:32:49.033",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-30T05:15:09.503",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-640"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-11 20:15
Modified
2024-11-21 07:44
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0656FCDD-D804-476F-B8F8-4BB6845B622A",
"versionEndExcluding": "2.16.4",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52C4BACF-5AB3-4DBF-865D-E0FC740C379C",
"versionEndExcluding": "2.17.3",
"versionStartIncluding": "2.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user\u0027s session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user\u2019s session was already terminated (\u201clogged out\u201d) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4. "
},
{
"lang": "es",
"value": "ZITADEL es una combinaci\u00f3n de Auth0 y Keycloak. RefreshTokens es una caracter\u00edstica de OAuth 2.0 que permite a las aplicaciones recuperar nuevos tokens de acceso y actualizar la sesi\u00f3n del usuario sin la necesidad de interactuar con una interfaz de usuario. Los RefreshTokens no se invalidaban cuando un usuario era bloqueado o desactivado. El usuario desactivado o bloqueado pudo obtener un token de acceso v\u00e1lido solo mediante una concesi\u00f3n de token de actualizaci\u00f3n. Cuando la sesi\u00f3n del usuario bloqueado o desactivado ya hab\u00eda finalizado (\u201clogged out\u201d) no era posible crear una nueva sesi\u00f3n. La renovaci\u00f3n del token de acceso mediante una concesi\u00f3n de token de actualizaci\u00f3n est\u00e1 limitada a la cantidad de tiempo configurada (RefreshTokenExpiration). Como workaround, aseg\u00farese de que RefreshTokenExpiration en la configuraci\u00f3n OIDC de su instancia est\u00e9 configurado de acuerdo con sus requisitos de seguridad. Este problema se solucion\u00f3 en las versiones 2.17.3 y 2.16.4."
}
],
"id": "CVE-2023-22492",
"lastModified": "2024-11-21T07:44:55.083",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-11T20:15:08.970",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-26 00:15
Modified
2025-01-08 18:21
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.50.0 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.50.0 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8A197D8E-D7FE-4179-9801-3098A9734003",
"versionEndExcluding": "2.50.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.\n"
},
{
"lang": "es",
"value": "ZITADEL ofrece a los usuarios la posibilidad de utilizar contrase\u00f1as de un solo uso (TOTP) y contrase\u00f1as de un solo uso (OTP) a trav\u00e9s de SMS y correo electr\u00f3nico. Si bien ZITADEL ya ofrece a los administradores la opci\u00f3n de definir una \"Pol\u00edtica de bloqueo\" con una cantidad m\u00e1xima de intentos fallidos de verificaci\u00f3n de contrase\u00f1a, no exist\u00eda tal mecanismo para las comprobaciones (T)OTP. Este problema se solucion\u00f3 en la versi\u00f3n 2.50.0."
}
],
"id": "CVE-2024-32868",
"lastModified": "2025-01-08T18:21:50.550",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-26T00:15:08.753",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-297"
},
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-05-01 07:15
Modified
2025-01-08 18:30
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Zitadel is an open source identity management system. In case ZITADEL could not connect to the database, connection information including db name, username and db host name could be returned to the user. This has been addressed in all supported release branches in a point release. There is no workaround since a patch is already available. Users are advised to upgrade.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.45.7 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.46.7 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.47.10 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.48.5 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.49.5 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.50.3 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.45.7 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.46.7 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.47.10 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.48.5 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.49.5 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.50.3 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "15D019CD-D79D-4B81-9C28-802373CA2B17",
"versionEndExcluding": "2.45.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BFB7830-9DF5-4FF5-A6E8-A976B96396E4",
"versionEndExcluding": "2.46.7",
"versionStartIncluding": "2.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98F0456B-00F0-484D-9F05-9DB92F1F3784",
"versionEndExcluding": "2.47.10",
"versionStartIncluding": "2.47.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D2512D91-605E-483E-BDA4-957BE71D0386",
"versionEndExcluding": "2.48.5",
"versionStartIncluding": "2.48.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6FC417F4-B0D4-4C2E-823B-B746AA58236E",
"versionEndExcluding": "2.49.5",
"versionStartIncluding": "2.49.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07BB6554-4F98-4458-932E-F456C00B17D9",
"versionEndExcluding": "2.50.3",
"versionStartIncluding": "2.50.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. In case ZITADEL could not connect to the database, connection information including db name, username and db host name could be returned to the user. This has been addressed in all supported release branches in a point release. There is no workaround since a patch is already available. Users are advised to upgrade."
},
{
"lang": "es",
"value": "Zitadel es un sistema de gesti\u00f3n de identidades de c\u00f3digo abierto. En caso de que ZITADEL no pudiera conectarse a la base de datos, se podr\u00eda devolver al usuario la informaci\u00f3n de conexi\u00f3n, incluido el nombre de la base de datos, el nombre de usuario y el nombre del host de la base de datos. Esto se ha solucionado en todas las ramas de versiones admitidas en una versi\u00f3n puntual. No existe ning\u00fan workaround porque ya hay un parche disponible. Se recomienda a los usuarios que actualicen."
}
],
"id": "CVE-2024-32967",
"lastModified": "2025-01-08T18:30:33.600",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-05-01T07:15:40.537",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-27 20:15
Modified
2025-01-08 18:20
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Summary
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.42.17 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.43.11 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.44.7 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.45.5 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.46.5 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.47.8 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.48.3 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.42.17 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.43.11 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.44.7 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.45.5 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.46.5 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.47.8 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.48.3 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "220712AC-B9A7-4C02-972F-F69A3C93EA5C",
"versionEndExcluding": "2.42.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E63D00B9-2C3C-48BA-9C87-DA3B3895DDCB",
"versionEndExcluding": "2.43.11",
"versionStartIncluding": "2.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B72E7A77-7537-4872-8038-A92E68A1451B",
"versionEndExcluding": "2.44.7",
"versionStartIncluding": "2.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A0B9428D-76F8-4121-809B-AEC937D6419A",
"versionEndExcluding": "2.45.5",
"versionStartIncluding": "2.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5829B90F-DCE0-44DB-AC75-9BC923774CD7",
"versionEndExcluding": "2.46.5",
"versionStartIncluding": "2.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C29110B-3ADA-4388-A9AF-773574F03094",
"versionEndExcluding": "2.47.8",
"versionStartIncluding": "2.47.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63C71265-8561-48A6-9D9F-1A94A89A64D8",
"versionEndExcluding": "2.48.3",
"versionStartIncluding": "2.48.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17."
},
{
"lang": "es",
"value": "ZITADEL, software de gesti\u00f3n de autenticaci\u00f3n de c\u00f3digo abierto, utiliza plantillas Go para representar la interfaz de usuario de inicio de sesi\u00f3n. En determinadas circunstancias una acci\u00f3n podr\u00eda establecer reclamaciones reservadas gestionadas por ZITADEL. Por ejemplo, ser\u00eda posible establecer el reclamo `urn:zitadel:iam:user:resourceowner:name`. Para compensar esto, introdujimos una protecci\u00f3n que evita que las acciones cambien los reclamos que comienzan con `urn:zitadel:iam`. Esta vulnerabilidad se solucion\u00f3 en 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11 y 2.42.17."
}
],
"id": "CVE-2024-29892",
"lastModified": "2025-01-08T18:20:34.003",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-27T20:15:08.303",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-20 00:15
Modified
2024-09-24 20:25
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account's password.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393 | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B57963B2-68B5-4E7C-97B7-64304BB64F6C",
"versionEndExcluding": "2.54.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD559AF6-7A21-405F-A421-B801F37B9B3C",
"versionEndExcluding": "2.55.8",
"versionStartIncluding": "2.55.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "04A51D71-DC37-4443-AFD4-5C1DACBD9026",
"versionEndExcluding": "2.56.6",
"versionStartIncluding": "2.56.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A379F08-C3D5-4C5F-8799-AC2E9097A655",
"versionEndExcluding": "2.57.5",
"versionStartIncluding": "2.57.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "095B9185-EB6C-4601-95AC-C1F8CE4CF757",
"versionEndExcluding": "2.58.5",
"versionStartIncluding": "2.58.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "790DC952-225B-4AAA-873C-EACDE249982B",
"versionEndExcluding": "2.59.3",
"versionStartIncluding": "2.59.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "89E084F5-D132-4244-8E7C-4E26E033A636",
"versionEndExcluding": "2.60.2",
"versionStartIncluding": "2.60.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.61.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ED36FAD4-DAB7-41FE-8C14-119B24E2CCCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.62.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D15D8180-D356-4933-8390-19B2DCE2D89F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. ZITADEL\u0027s user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account\u0027s password."
},
{
"lang": "es",
"value": "Zitadel es una plataforma de gesti\u00f3n de identidad de c\u00f3digo abierto. El mecanismo de desactivaci\u00f3n de cuentas de usuario de ZITADEL no funcionaba correctamente con las cuentas de servicio. Las cuentas de servicio desactivadas conservaban la capacidad de solicitar tokens, lo que pod\u00eda provocar un acceso no autorizado a aplicaciones y recursos. Se han publicado las versiones 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8 y 2.54.10 que solucionan este problema. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar la versi\u00f3n pueden, en lugar de desactivar la cuenta de servicio, considerar la posibilidad de crear nuevas credenciales y reemplazar las antiguas dondequiera que se utilicen. Esto evita de forma eficaz que se utilice la cuenta de servicio desactivada. Aseg\u00farese de revocar todas las claves de autenticaci\u00f3n existentes asociadas con la cuenta de servicio y de rotar la contrase\u00f1a de la cuenta de servicio."
}
],
"id": "CVE-2024-47000",
"lastModified": "2024-09-24T20:25:30.493",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-20T00:15:03.550",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-03 20:15
Modified
2025-01-08 18:24
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://discord.com/channels/927474939156643850/1254096852937347153 | Permissions Required, URL Repurposed | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73 | Patch | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/issues/8213 | Issue Tracking | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/pull/8231 | Issue Tracking | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.53.8 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.54.5 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/releases/tag/v2.55.1 | Release Notes | |
| security-advisories@github.com | https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://discord.com/channels/927474939156643850/1254096852937347153 | Permissions Required, URL Repurposed | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/issues/8213 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/pull/8231 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.53.8 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.54.5 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/releases/tag/v2.55.1 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5976968D-F1B6-4FE8-8E2B-98BD1013BB3A",
"versionEndExcluding": "2.53.8",
"versionStartIncluding": "2.53.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E5CFD42-7A8B-414C-AB09-257C1116E42B",
"versionEndExcluding": "2.54.5",
"versionStartIncluding": "2.54.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.55.0:-:*:*:*:*:*:*",
"matchCriteriaId": "A4ED9439-D16E-4F3E-B75D-EE7379A35207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zitadel:zitadel:2.55.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "D365EF32-0A70-4E98-B4A6-D46CB25A4644",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user\u0027s sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available."
},
{
"lang": "es",
"value": "ZITADEL es una herramienta de infraestructura de identidad de c\u00f3digo abierto. ZITADEL brinda a los usuarios la capacidad de enumerar todas las sesiones de usuario del agente de usuario actual (navegador). A partir de la versi\u00f3n 2.53.0 y antes de las versiones 2.53.8, 2.54.5 y 2.55.1, debido a una verificaci\u00f3n faltante, las sesiones de usuario sin esa informaci\u00f3n (por ejemplo, cuando se crearon a trav\u00e9s del servicio de sesi\u00f3n) se enumeraron incorrectamente, exponiendo potencialmente las sesiones de otros usuarios. Las versiones 2.55.1, 2.54.5 y 2.53.8 contienen una soluci\u00f3n para el problema. No existe ning\u00fan workaround porque ya hay un parche disponible."
}
],
"id": "CVE-2024-39683",
"lastModified": "2025-01-08T18:24:07.627",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-03T20:15:04.840",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Permissions Required",
"URL Repurposed"
],
"url": "https://discord.com/channels/927474939156643850/1254096852937347153"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/zitadel/zitadel/issues/8213"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/zitadel/zitadel/pull/8231"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"URL Repurposed"
],
"url": "https://discord.com/channels/927474939156643850/1254096852937347153"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/issues/8213"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/zitadel/zitadel/pull/8231"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}