CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5556 vulnerabilities reference this CWE, most recent first.
GHSA-F28V-QHMR-FHCX
Vulnerability from github – Published: 2025-07-15 21:31 – Updated: 2025-07-15 21:31Vulnerability in the Oracle Mobile Field Service product of Oracle E-Business Suite (component: Multiplatform Sync Errors). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Mobile Field Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Mobile Field Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Mobile Field Service accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
{
"affected": [],
"aliases": [
"CVE-2025-30744"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-15T20:15:28Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Mobile Field Service product of Oracle E-Business Suite (component: Multiplatform Sync Errors). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Mobile Field Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Mobile Field Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Mobile Field Service accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"id": "GHSA-f28v-qhmr-fhcx",
"modified": "2025-07-15T21:31:39Z",
"published": "2025-07-15T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30744"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F2FJ-CJ3G-RJ2X
Vulnerability from github – Published: 2021-11-18 00:00 – Updated: 2022-06-29 00:00Improper access control in the software installer for the Intel(R) Serial IO driver for Intel(R) NUC 11 Gen before version 30.100.2104.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2021-33118"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-17T20:15:00Z",
"severity": "HIGH"
},
"details": "Improper access control in the software installer for the Intel(R) Serial IO driver for Intel(R) NUC 11 Gen before version 30.100.2104.1 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-f2fj-cj3g-rj2x",
"modified": "2022-06-29T00:00:52Z",
"published": "2021-11-18T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33118"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00560.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2G3-3C6Q-4478
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2025-02-10 20:39Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.4.0"
},
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/project-community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-24401"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-13T21:51:10Z",
"nvd_published_at": "2020-11-09T01:15:00Z",
"severity": "MODERATE"
},
"details": "Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user\u0027s account.",
"id": "GHSA-f2g3-3c6q-4478",
"modified": "2025-02-10T20:39:13Z",
"published": "2022-05-24T17:33:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24401"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Magento 2 Community Edition Incorrect Authorization"
}
GHSA-F2HR-7WR3-RHJ7
Vulnerability from github – Published: 2022-05-14 00:01 – Updated: 2022-05-24 00:00The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.
{
"affected": [],
"aliases": [
"CVE-2021-46785"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-13T15:15:00Z",
"severity": "MODERATE"
},
"details": "The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.",
"id": "GHSA-f2hr-7wr3-rhj7",
"modified": "2022-05-24T00:00:29Z",
"published": "2022-05-14T00:01:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46785"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/5"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202205-0000001245813162"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F2J6-WRHH-V25M
Vulnerability from github – Published: 2018-10-10 16:10 – Updated: 2024-10-09 20:55Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "paramiko"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "paramiko"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "paramiko"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "paramiko"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "paramiko"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.1"
},
{
"fixed": "2.0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000805"
],
"database_specific": {
"cwe_ids": [
"CWE-732",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:33:26Z",
"nvd_published_at": "2018-10-08T15:29:00Z",
"severity": "HIGH"
},
"details": "Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.",
"id": "GHSA-f2j6-wrhh-v25m",
"modified": "2024-10-09T20:55:50Z",
"published": "2018-10-10T16:10:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000805"
},
{
"type": "WEB",
"url": "https://github.com/paramiko/paramiko/issues/1283"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2018:3497"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3347"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3406"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3505"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-f2j6-wrhh-v25m"
},
{
"type": "PACKAGE",
"url": "https://github.com/paramiko/paramiko"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2018-69.yaml"
},
{
"type": "WEB",
"url": "https://herolab.usd.de/wp-content/uploads/sites/4/usd20180023.txt"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3796-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3796-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3796-3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Paramiko Authentication Bypass vulnerability"
}
GHSA-F32V-VF79-P29Q
Vulnerability from github – Published: 2022-04-27 00:00 – Updated: 2022-05-26 19:40Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "17.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1466"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-28T21:03:04Z",
"nvd_published_at": "2022-04-26T19:15:00Z",
"severity": "MODERATE"
},
"details": "Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.",
"id": "GHSA-f32v-vf79-p29q",
"modified": "2022-05-26T19:40:49Z",
"published": "2022-04-27T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1466"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt"
},
{
"type": "WEB",
"url": "https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper authorization in Keycloak"
}
GHSA-F362-3WMQ-4VF5
Vulnerability from github – Published: 2022-05-11 00:00 – Updated: 2025-01-02 21:31Microsoft Office Security Feature Bypass Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-29107"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "Microsoft Office Security Feature Bypass Vulnerability.",
"id": "GHSA-f362-3wmq-4vf5",
"modified": "2025-01-02T21:31:33Z",
"published": "2022-05-11T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29107"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29107"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29107"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F378-QX8V-C7CF
Vulnerability from github – Published: 2024-10-10 03:30 – Updated: 2024-10-10 03:30In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this vulnerability, an attacker can view metadata of files uploaded by an admin and overwrite these files, compromising the integrity and availability of the RAG models.
{
"affected": [],
"aliases": [
"CVE-2024-7048"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-10T02:15:03Z",
"severity": "MODERATE"
},
"details": "In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this vulnerability, an attacker can view metadata of files uploaded by an admin and overwrite these files, compromising the integrity and availability of the RAG models.",
"id": "GHSA-f378-qx8v-c7cf",
"modified": "2024-10-10T03:30:45Z",
"published": "2024-10-10T03:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7048"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/acd0b2dd-61eb-4712-82d3-a4e35d6ee560"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-F3F9-274W-R3M6
Vulnerability from github – Published: 2023-05-09 18:30 – Updated: 2024-04-04 03:55Insecure Permissons vulnerability found in Shop_CMS YerShop all versions allows a remote attacker to escalate privileges via the cover_id parameter.
{
"affected": [],
"aliases": [
"CVE-2020-23362"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-09T16:15:13Z",
"severity": "HIGH"
},
"details": "Insecure Permissons vulnerability found in Shop_CMS YerShop all versions allows a remote attacker to escalate privileges via the cover_id parameter.",
"id": "GHSA-f3f9-274w-r3m6",
"modified": "2024-04-04T03:55:40Z",
"published": "2023-05-09T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23362"
},
{
"type": "WEB",
"url": "https://github.com/huyiwill/shopcms_lang/issues/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F3GH-529W-V32X
Vulnerability from github – Published: 2025-03-04 16:43 – Updated: 2025-03-11 17:18Summary
ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, we still strongly recommend upgrading to the patched version to address all identified issues.
Description
ZITADEL's Admin API, intended for managing ZITADEL instances, contains 12 HTTP endpoints that are unexpectedly accessible to authenticated ZITADEL users who are not ZITADEL managers. The most critical vulnerable endpoints relate to LDAP configuration:
- /idps/ldap
- /idps/ldap/{id}
By accessing these endpoints, unauthorized users could:
- Modify ZITADEL's instance LDAP settings, redirecting all LDAP login attempts to a malicious server, effectively taking over user accounts.
- Expose the original LDAP server's password, potentially compromising all user accounts.
Additional Vulnerable Endpoints
The following endpoints are also affected by IDOR vulnerabilities, potentially allowing unauthorized modification of instance settings such as languages, labels, and templates:
- /idps/templates/_search
- /idps/templates/{id}
- /policies/label/_activate
- /policies/label/logo
- /policies/label/logo_dark
- /policies/label/icon
- /policies/label/icon_dark
- /policies/label/font
- /text/message/passwordless_registration/{language}
- /text/login/{language}
Impact
The impact of this vulnerability varies depending on whether a ZITADEL instance utilizes LDAP for authentication:
- LDAP Users: Successful exploitation could lead to complete takeover of user accounts and exposure of the LDAP server's password.
- Non-LDAP Users: While the most severe risks are related to LDAP, exploitation of the additional vulnerable endpoints could still allow unauthorized modification of instance settings, impacting all organizations.
Patches
2.x versions are fixed on >= 2.71.0 2.70.x versions are fixed on >= 2.70.1 2.69.x versions are fixed on >= 2.69.4 2.68.x versions are fixed on >= 2.68.4 2.67.x versions are fixed on >= 2.67.8 2.66.x versions are fixed on >= 2.66.11 2.65.x versions are fixed on >= 2.65.6 2.64.x versions are fixed on >= 2.64.5 2.63.x versions are fixed on >= 2.63.8
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
Credit
This vulnerability was discovered by Amit Laish, a senior security researcher from GE Vernova and we want to thank him for reporting this to us!
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.63.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.64.0"
},
{
"fixed": "2.64.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.65.0"
},
{
"fixed": "2.65.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.66.0"
},
{
"fixed": "2.66.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.67.0"
},
{
"fixed": "2.67.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.68.0"
},
{
"fixed": "2.68.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.69.0"
},
{
"fixed": "2.69.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.70.0"
},
{
"fixed": "2.70.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.63.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.64.0"
},
{
"fixed": "2.64.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.65.0"
},
{
"fixed": "2.65.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.66.0"
},
{
"fixed": "2.66.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.67.0"
},
{
"fixed": "2.67.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.68.0"
},
{
"fixed": "2.68.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.69.0"
},
{
"fixed": "2.69.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.70.0"
},
{
"fixed": "2.70.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27507"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-04T16:43:56Z",
"nvd_published_at": "2025-03-04T17:15:20Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nZITADEL\u0027s Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, we still strongly recommend upgrading to the patched version to address all identified issues.\n\n### Description\n\nZITADEL\u0027s Admin API, intended for managing ZITADEL instances, contains 12 HTTP endpoints that are unexpectedly accessible to authenticated ZITADEL users who are not ZITADEL managers. The most critical vulnerable endpoints relate to LDAP configuration:\n\n- /idps/ldap\n- /idps/ldap/{id}\n\nBy accessing these endpoints, unauthorized users could:\n\n- Modify ZITADEL\u0027s instance LDAP settings, redirecting all LDAP login attempts to a malicious server, effectively taking over user accounts. \n- Expose the original LDAP server\u0027s password, potentially compromising all user accounts. \n\n### Additional Vulnerable Endpoints\n\nThe following endpoints are also affected by IDOR vulnerabilities, potentially allowing unauthorized modification of instance settings such as languages, labels, and templates:\n\n- /idps/templates/_search\n- /idps/templates/{id}\n- /policies/label/_activate\n- /policies/label/logo\n- /policies/label/logo_dark\n- /policies/label/icon\n- /policies/label/icon_dark\n- /policies/label/font\n- /text/message/passwordless_registration/{language}\n- /text/login/{language} \n\n### Impact\n\nThe impact of this vulnerability varies depending on whether a ZITADEL instance utilizes LDAP for authentication:\n\n- LDAP Users: Successful exploitation could lead to complete takeover of user accounts and exposure of the LDAP server\u0027s password. \n- Non-LDAP Users: While the most severe risks are related to LDAP, exploitation of the additional vulnerable endpoints could still allow unauthorized modification of instance settings, impacting all organizations. \n\n### Patches\n\n2.x versions are fixed on \u003e= [2.71.0](https://github.com/zitadel/zitadel/releases/tag/v2.71.0)\n2.70.x versions are fixed on \u003e= [2.70.1](https://github.com/zitadel/zitadel/releases/tag/v2.70.1)\n2.69.x versions are fixed on \u003e= [2.69.4](https://github.com/zitadel/zitadel/releases/tag/v2.69.4)\n2.68.x versions are fixed on \u003e= [2.68.4](https://github.com/zitadel/zitadel/releases/tag/v2.68.4)\n2.67.x versions are fixed on \u003e= [2.67.8](https://github.com/zitadel/zitadel/releases/tag/v2.67.8)\n2.66.x versions are fixed on \u003e= [2.66.11](https://github.com/zitadel/zitadel/releases/tag/v2.66.11)\n2.65.x versions are fixed on \u003e= [2.65.6](https://github.com/zitadel/zitadel/releases/tag/v2.65.6)\n2.64.x versions are fixed on \u003e= [2.64.5](https://github.com/zitadel/zitadel/releases/tag/v2.64.5)\n2.63.x versions are fixed on \u003e= [2.63.8](https://github.com/zitadel/zitadel/releases/tag/v2.63.8)\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at security@zitadel.com\n\n### Credit\n\nThis vulnerability was discovered by Amit Laish, a senior security researcher from GE Vernova and we want to thank him for reporting this to us!",
"id": "GHSA-f3gh-529w-v32x",
"modified": "2025-03-11T17:18:47Z",
"published": "2025-03-04T16:43:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27507"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/commit/d9d8339813f1c43d3eb7d8d80f11fdabb2fd2ee4"
},
{
"type": "PACKAGE",
"url": "https://github.com/zitadel/zitadel"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.8"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.5"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.65.6"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.66.11"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.67.8"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.68.4"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.69.4"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.1"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.0"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3499"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "IDOR Vulnerabilities in ZITADEL\u0027s Admin API that Primarily Impact LDAP Configurations"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.