Search criteria
35 vulnerabilities by zitadel
CVE-2025-67717 (GCVE-0-2025-67717)
Vulnerability from cvelistv5 – Published: 2025-12-11 00:30 – Updated: 2025-12-11 18:43
VLAI?
Title
Zitadel Discloses the Total Number of Instance Users
Summary
ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2.
Severity ?
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T18:39:06.363465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T18:43:08.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 1.80.0-v2.20.0.20251210"
},
{
"status": "affected",
"version": "\u003e= 2.44.0, \u003c 3.4.5"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-rc.1, \u003c 4.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T00:30:19.192Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx"
},
{
"name": "https://github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12c"
}
],
"source": {
"advisory": "GHSA-f4cf-9rvr-2rcx",
"discovery": "UNKNOWN"
},
"title": "Zitadel Discloses the Total Number of Instance Users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67717",
"datePublished": "2025-12-11T00:30:19.192Z",
"dateReserved": "2025-12-10T17:47:36.418Z",
"dateUpdated": "2025-12-11T18:43:08.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67495 (GCVE-0-2025-67495)
Vulnerability from cvelistv5 – Published: 2025-12-09 22:38 – Updated: 2025-12-10 16:50
VLAI?
Title
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
Summary
ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users’ browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67495",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T16:13:47.888251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T16:50:23.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 1.80.0-v2.20.0.20251208091519-4c879b47334e"
},
{
"status": "affected",
"version": "\u003e= 1.83.4, \u003c= 1.87.5"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-rc.1, \u003c 4.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users\u2019 browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T22:38:44.327Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v959-qxv6-6f8p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v959-qxv6-6f8p"
},
{
"name": "https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96"
}
],
"source": {
"advisory": "GHSA-v959-qxv6-6f8p",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67495",
"datePublished": "2025-12-09T22:38:44.327Z",
"dateReserved": "2025-12-08T20:58:24.640Z",
"dateUpdated": "2025-12-10T16:50:23.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67494 (GCVE-0-2025-67494)
Vulnerability from cvelistv5 – Published: 2025-12-09 22:07 – Updated: 2025-12-10 16:50
VLAI?
Title
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
Summary
ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1.
Severity ?
9.3 (Critical)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67494",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T16:13:59.817347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T16:50:30.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 1.80.0-v2.20.0.20251208091519-4c879b47334e"
},
{
"status": "affected",
"version": "\u003e= 1.83.4, \u003c= 1.87.5"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-rc.1, \u003c 4.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T22:07:51.878Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7wfc-4796-gmg5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7wfc-4796-gmg5"
},
{
"name": "https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96"
}
],
"source": {
"advisory": "GHSA-7wfc-4796-gmg5",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67494",
"datePublished": "2025-12-09T22:07:51.878Z",
"dateReserved": "2025-12-08T18:49:47.487Z",
"dateUpdated": "2025-12-10T16:50:30.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64717 (GCVE-0-2025-64717)
Vulnerability from cvelistv5 – Published: 2025-11-13 15:30 – Updated: 2025-11-13 17:09
VLAI?
Title
ZITADEL vulnerable to Account Takeover with deactivated Instance IdP
Summary
ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. This vulnerability stems from the platform's failure to correctly check or enforce an organization's specific security settings during the authentication flow. An Organization Administrator can explicitly disable an IdP or disallow federation, but this setting was not being honored during the auto-linking process. This allowed an unauthenticated attacker to initiate a login using an IdP that should have been disabled for that organization. The platform would incorrectly validate the login and, based on a matching criteria, link the attacker's external identity to an existing internal user account. This may result in a full Account Takeover, bypassing the organization's mandated security controls. Note that accounts with MFA enabled can not be taken over by this attack. Also note that only IdPs create on an instance level would allow this to work. IdPs registered on another organization would always be denied in the (auto-)linking process. Versions 4.6.6, 3.4.4, and 2.71.19 resolve the issue by correctly validating the organization's login policy before auto-linking an external user. No known workarounds are available aside from upgrading.
Severity ?
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T17:08:48.778483Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T17:09:03.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-rc.1, \u003c 4.6.6"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc.1, \u003c 3.4.4"
},
{
"status": "affected",
"version": "\u003e= 2.50.0, \u003c 2.71.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL\u0027s federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. This vulnerability stems from the platform\u0027s failure to correctly check or enforce an organization\u0027s specific security settings during the authentication flow. An Organization Administrator can explicitly disable an IdP or disallow federation, but this setting was not being honored during the auto-linking process. This allowed an unauthenticated attacker to initiate a login using an IdP that should have been disabled for that organization. The platform would incorrectly validate the login and, based on a matching criteria, link the attacker\u0027s external identity to an existing internal user account. This may result in a full Account Takeover, bypassing the organization\u0027s mandated security controls. Note that accounts with MFA enabled can not be taken over by this attack. Also note that only IdPs create on an instance level would allow this to work. IdPs registered on another organization would always be denied in the (auto-)linking process. Versions 4.6.6, 3.4.4, and 2.71.19 resolve the issue by correctly validating the organization\u0027s login policy before auto-linking an external user. No known workarounds are available aside from upgrading."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T15:30:51.233Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-j4g7-v4m4-77px",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-j4g7-v4m4-77px"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.19",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.19"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.4"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v4.6.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v4.6.6"
}
],
"source": {
"advisory": "GHSA-j4g7-v4m4-77px",
"discovery": "UNKNOWN"
},
"title": "ZITADEL vulnerable to Account Takeover with deactivated Instance IdP"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64717",
"datePublished": "2025-11-13T15:30:51.233Z",
"dateReserved": "2025-11-10T14:07:42.922Z",
"dateUpdated": "2025-11-13T17:09:03.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64431 (GCVE-0-2025-64431)
Vulnerability from cvelistv5 – Published: 2025-11-07 18:09 – Updated: 2025-11-07 18:29
VLAI?
Title
IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering
Summary
Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference (IDOR) attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations. Note that this vulnerability is limited to organization-level data (name, domains, metadata). No other related data (such as users, projects, applications, etc.) is affected. This issue is fixed in version 4.6.3.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64431",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T18:28:59.518688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T18:29:24.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-rc.1, \u003c 4.6.3"
},
{
"status": "affected",
"version": "\u003e= 1.80.0-v2.20.0.20250414095945-f365cee73242, \u003c 1.80.0-v2.20.0.20251105083648-8dcfff97ed52"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference (IDOR) attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations. Note that this vulnerability is limited to organization-level data (name, domains, metadata). No other related data (such as users, projects, applications, etc.) is affected. This issue is fixed in version 4.6.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T18:09:25.466Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cpf4-pmr4-w6cx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cpf4-pmr4-w6cx"
},
{
"name": "https://github.com/zitadel/zitadel/commit/8dcfff97ed52a8b9fc77ecb1f972744f42cff3ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/8dcfff97ed52a8b9fc77ecb1f972744f42cff3ed"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v4.6.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v4.6.3"
}
],
"source": {
"advisory": "GHSA-cpf4-pmr4-w6cx",
"discovery": "UNKNOWN"
},
"title": "IDOR Vulnerabilities in ZITADEL\u0027s Organization API allows Cross-Tenant Data Tempering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64431",
"datePublished": "2025-11-07T18:09:25.466Z",
"dateReserved": "2025-11-03T22:12:51.365Z",
"dateUpdated": "2025-11-07T18:29:24.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64103 (GCVE-0-2025-64103)
Vulnerability from cvelistv5 – Published: 2025-10-29 18:43 – Updated: 2025-10-30 14:51
VLAI?
Title
Zitadel Bypass Second Authentication Factor
Summary
Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
Severity ?
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64103",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:51:11.506264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:51:19.189Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-rc.1, \u003c 4.6.0"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc.1, \u003c 3.4.3"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.71.18"
},
{
"status": "affected",
"version": "\u003e= 2.54.3, \u003c= 2.54.10"
},
{
"status": "affected",
"version": "\u003e= 2.53.6, \u003c= 2.53.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-308",
"description": "CWE-308: Use of Single-factor Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T20:42:41.527Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cfjq-28r2-4jv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cfjq-28r2-4jv5"
},
{
"name": "https://github.com/zitadel/zitadel/commit/b284f8474eed0cba531905101619e7ae7963156b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/b284f8474eed0cba531905101619e7ae7963156b"
}
],
"source": {
"advisory": "GHSA-cfjq-28r2-4jv5",
"discovery": "UNKNOWN"
},
"title": "Zitadel Bypass Second Authentication Factor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64103",
"datePublished": "2025-10-29T18:43:46.934Z",
"dateReserved": "2025-10-27T15:26:14.127Z",
"dateUpdated": "2025-10-30T14:51:19.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64102 (GCVE-0-2025-64102)
Vulnerability from cvelistv5 – Published: 2025-10-29 18:36 – Updated: 2025-10-30 14:53
VLAI?
Title
Zitadel allows brute-forcing authentication factors
Summary
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
Severity ?
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:53:46.409256Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:53:53.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-rc.1, \u003c 4.6.0"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc.1, \u003c 3.4.3"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.71.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T18:36:15.390Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878"
},
{
"name": "https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a"
}
],
"source": {
"advisory": "GHSA-xrw9-r35x-x878",
"discovery": "UNKNOWN"
},
"title": "Zitadel allows brute-forcing authentication factors"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64102",
"datePublished": "2025-10-29T18:36:15.390Z",
"dateReserved": "2025-10-27T15:26:14.127Z",
"dateUpdated": "2025-10-30T14:53:53.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64101 (GCVE-0-2025-64101)
Vulnerability from cvelistv5 – Published: 2025-10-29 18:30 – Updated: 2025-10-29 19:35
VLAI?
Title
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
Summary
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-29T19:35:29.013422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T19:35:39.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-rc.1, \u003c 4.6.0"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc.1, \u003c 3.4.3"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.71.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL\u0027s password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user\u0027s password and gain unauthorized access to their account. It\u0027s important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T18:34:22.475Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mwmh-7px9-4c23",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mwmh-7px9-4c23"
},
{
"name": "https://github.com/zitadel/zitadel/commit/72a5c33e6ac302b978d564bd049f9364f5a989b1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/72a5c33e6ac302b978d564bd049f9364f5a989b1"
}
],
"source": {
"advisory": "GHSA-mwmh-7px9-4c23",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64101",
"datePublished": "2025-10-29T18:30:14.999Z",
"dateReserved": "2025-10-27T15:26:14.126Z",
"dateUpdated": "2025-10-29T19:35:39.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-57770 (GCVE-0-2025-57770)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:50 – Updated: 2025-08-22 20:05
VLAI?
Title
ZITADEL user enumeration vulnerability in login UI
Summary
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15 are vulnerable to a username enumeration issue in the login interface. The login UI includes a security feature, Ignoring unknown usernames, that is intended to prevent username enumeration by returning a generic response for both valid and invalid usernames. This vulnerability allows an unauthenticated attacker to bypass this protection by submitting arbitrary userIDs to the select account page and distinguishing between valid and invalid accounts based on the system's response. For effective exploitation, an attacker needs to iterate through possible userIDs, but the impact can be limited by implementing rate limiting or similar measures. The issue has been patched in versions 4.0.3, 3.4.0, and 2.71.15.
Severity ?
5.3 (Medium)
CWE
- CWE-203 - Observable Discrepancy
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-22T20:04:52.320114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T20:05:08.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.71.15"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.4.0"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15 are vulnerable to a username enumeration issue in the login interface. The login UI includes a security feature, Ignoring unknown usernames, that is intended to prevent username enumeration by returning a generic response for both valid and invalid usernames. This vulnerability allows an unauthenticated attacker to bypass this protection by submitting arbitrary userIDs to the select account page and distinguishing between valid and invalid accounts based on the system\u0027s response. For effective exploitation, an attacker needs to iterate through possible userIDs, but the impact can be limited by implementing rate limiting or similar measures. The issue has been patched in versions 4.0.3, 3.4.0, and 2.71.15."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203: Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T16:50:35.002Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g9c3-xh6v-fr86",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g9c3-xh6v-fr86"
},
{
"name": "https://github.com/zitadel/zitadel/commit/7abe759c95cb360524d88b51744d03cbb6e4dcdb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/7abe759c95cb360524d88b51744d03cbb6e4dcdb"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.15"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v3.4.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.0"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v4.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v4.0.3"
},
{
"name": "https://zitadel.com/docs/self-hosting/manage/production#limits-and-quotas",
"tags": [
"x_refsource_MISC"
],
"url": "https://zitadel.com/docs/self-hosting/manage/production#limits-and-quotas"
}
],
"source": {
"advisory": "GHSA-g9c3-xh6v-fr86",
"discovery": "UNKNOWN"
},
"title": "ZITADEL user enumeration vulnerability in login UI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57770",
"datePublished": "2025-08-22T16:50:35.002Z",
"dateReserved": "2025-08-19T15:16:22.917Z",
"dateUpdated": "2025-08-22T20:05:08.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53895 (GCVE-0-2025-53895)
Vulnerability from cvelistv5 – Published: 2025-07-15 16:39 – Updated: 2025-07-15 17:19
VLAI?
Title
ZITADEL has broken authN and authZ in session API and resulting session tokens
Summary
ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T17:19:18.220867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T17:19:29.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "= 4.0.0-rc.1"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.1"
},
{
"status": "affected",
"version": "\u003e= 2.53.0, \u003c 2.70.14"
},
{
"status": "affected",
"version": "\u003e= 2.71.0, \u003c 2.71.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL\u0027s session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T16:39:00.635Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6c5p-6www-pcmr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6c5p-6www-pcmr"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.70.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.14"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.13"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v3.3.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v3.3.2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v4.0.0-rc.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v4.0.0-rc.2"
}
],
"source": {
"advisory": "GHSA-6c5p-6www-pcmr",
"discovery": "UNKNOWN"
},
"title": "ZITADEL has broken authN and authZ in session API and resulting session tokens"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53895",
"datePublished": "2025-07-15T16:39:00.635Z",
"dateReserved": "2025-07-11T19:05:23.825Z",
"dateUpdated": "2025-07-15T17:19:29.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48936 (GCVE-0-2025-48936)
Vulnerability from cvelistv5 – Published: 2025-05-30 06:30 – Updated: 2025-05-30 13:06
VLAI?
Title
ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection
Summary
Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. This specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This issue has been patched in versions 2.70.12, 2.71.10, and 3.2.2.
Severity ?
8.1 (High)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T13:06:39.523979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T13:06:54.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.70.12"
},
{
"status": "affected",
"version": "\u003e= 2.71.0, \u003c= 2.71.10"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-rc1, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user\u0027s password and gain unauthorized access to their account. This specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This issue has been patched in versions 2.70.12, 2.71.10, and 3.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T06:30:57.792Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-93m4-mfpg-c3xf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-93m4-mfpg-c3xf"
},
{
"name": "https://github.com/zitadel/zitadel/commit/c097887bc5f680e12c998580fb56d98a15758f53",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/c097887bc5f680e12c998580fb56d98a15758f53"
}
],
"source": {
"advisory": "GHSA-93m4-mfpg-c3xf",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48936",
"datePublished": "2025-05-30T06:30:57.792Z",
"dateReserved": "2025-05-28T18:49:07.577Z",
"dateUpdated": "2025-05-30T13:06:54.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46815 (GCVE-0-2025-46815)
Vulnerability from cvelistv5 – Published: 2025-05-06 17:13 – Updated: 2025-05-06 18:21
VLAI?
Title
ZITADEL Allows IdP Intent Token Reuse
Summary
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T18:20:59.907100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T18:21:14.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-rc.1, \u003c 3.0.0"
},
{
"status": "affected",
"version": "\u003c 2.70.10"
},
{
"status": "affected",
"version": "\u003e= 2.71.0, \u003c 2.71.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application\u2019s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It\u0027s important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T17:13:53.878Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq"
},
{
"name": "https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.70.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.10"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v3.0.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v3.0.0"
}
],
"source": {
"advisory": "GHSA-g4r8-mp7g-85fq",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Allows IdP Intent Token Reuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46815",
"datePublished": "2025-05-06T17:13:53.878Z",
"dateReserved": "2025-04-30T19:41:58.133Z",
"dateUpdated": "2025-05-06T18:21:14.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31124 (GCVE-0-2025-31124)
Vulnerability from cvelistv5 – Published: 2025-03-31 19:38 – Updated: 2025-03-31 22:26
VLAI?
Title
Zitadel allows User Enumeration by loginname attribute normalization
Summary
Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". While the setting was correctly respected during the login flow, the user's username was normalized leading to a disclosure of the user's existence. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zitadel | zitadel |
Affected:
>= 2.62.0, < 2.63.9
Affected: >= 2.64.0-rc.1, < 2.64.6 Affected: >= 2.65.0-rc.1, < 2.65.7 Affected: >= 2.66.0-rc.1, < 2.66.16 Affected: >= 2.67.0-rc.1, < 2.67.13 Affected: >= 2.68.0-rc.1, < 2.68.9 Affected: >= 2.69.0-rc.1, < 2.69.9 Affected: >= 2.70.0-rc.1, < 2.70.8 Affected: >= 2.71.0-rc.1, < 2.71.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T22:26:27.377115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T22:26:39.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.63.9"
},
{
"status": "affected",
"version": "\u003e= 2.64.0-rc.1, \u003c 2.64.6"
},
{
"status": "affected",
"version": "\u003e= 2.65.0-rc.1, \u003c 2.65.7"
},
{
"status": "affected",
"version": "\u003e= 2.66.0-rc.1, \u003c 2.66.16"
},
{
"status": "affected",
"version": "\u003e= 2.67.0-rc.1, \u003c 2.67.13"
},
{
"status": "affected",
"version": "\u003e= 2.68.0-rc.1, \u003c 2.68.9"
},
{
"status": "affected",
"version": "\u003e= 2.69.0-rc.1, \u003c 2.69.9"
},
{
"status": "affected",
"version": "\u003e= 2.70.0-rc.1, \u003c 2.70.8"
},
{
"status": "affected",
"version": "\u003e= 2.71.0-rc.1, \u003c 2.71.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called \"Ignoring unknown usernames\" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn\u0027t exist and report \"Username or Password invalid\". While the setting was correctly respected during the login flow, the user\u0027s username was normalized leading to a disclosure of the user\u0027s existence. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203: Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T19:38:12.235Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-67m4-8g4w-633q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-67m4-8g4w-633q"
},
{
"name": "https://github.com/zitadel/zitadel/commit/14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.63.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.64.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.6"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.65.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.65.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.66.16",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.66.16"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.67.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.67.13"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.68.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.68.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.69.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.69.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.70.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.6"
}
],
"source": {
"advisory": "GHSA-67m4-8g4w-633q",
"discovery": "UNKNOWN"
},
"title": "Zitadel allows User Enumeration by loginname attribute normalization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31124",
"datePublished": "2025-03-31T19:38:12.235Z",
"dateReserved": "2025-03-26T15:04:52.626Z",
"dateUpdated": "2025-03-31T22:26:39.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31123 (GCVE-0-2025-31123)
Vulnerability from cvelistv5 – Published: 2025-03-31 19:31 – Updated: 2025-03-31 22:38
VLAI?
Title
Zitadel Expired JWT Keys Usable for Authorization Grants
Summary
Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens. This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.
Severity ?
8.7 (High)
CWE
- CWE-324 - Use of a Key Past its Expiration Date
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zitadel | zitadel |
Affected:
>= 2.62.0, < 2.63.9
Affected: >= 2.64.0-rc.1, < 2.64.6 Affected: >= 2.65.0-rc.1, < 2.65.7 Affected: >= 2.66.0-rc.1, < 2.66.16 Affected: >= 2.67.0-rc.1, < 2.67.13 Affected: >= 2.68.0-rc.1, < 2.68.9 Affected: >= 2.69.0-rc.1, < 2.69.9 Affected: >= 2.70.0-rc.1, < 2.70.8 Affected: >= 2.71.0-rc.1, < 2.71.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31123",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T22:38:16.728894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T22:38:38.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.63.9"
},
{
"status": "affected",
"version": "\u003e= 2.64.0-rc.1, \u003c 2.64.6"
},
{
"status": "affected",
"version": "\u003e= 2.65.0-rc.1, \u003c 2.65.7"
},
{
"status": "affected",
"version": "\u003e= 2.66.0-rc.1, \u003c 2.66.16"
},
{
"status": "affected",
"version": "\u003e= 2.67.0-rc.1, \u003c 2.67.13"
},
{
"status": "affected",
"version": "\u003e= 2.68.0-rc.1, \u003c 2.68.9"
},
{
"status": "affected",
"version": "\u003e= 2.69.0-rc.1, \u003c 2.69.9"
},
{
"status": "affected",
"version": "\u003e= 2.70.0-rc.1, \u003c 2.70.8"
},
{
"status": "affected",
"version": "\u003e= 2.71.0-rc.1, \u003c 2.71.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens. This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "CWE-324: Use of a Key Past its Expiration Date",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T19:31:40.507Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-h3q7-347g-qwhf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-h3q7-347g-qwhf"
},
{
"name": "https://github.com/zitadel/zitadel/commit/315503beabd679f2e6aec0c004f0f9d2f5b53ed3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/315503beabd679f2e6aec0c004f0f9d2f5b53ed3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.63.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.64.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.6"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.65.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.65.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.66.16",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.66.16"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.67.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.67.13"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.68.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.68.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.69.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.69.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.70.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.71.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.6"
}
],
"source": {
"advisory": "GHSA-h3q7-347g-qwhf",
"discovery": "UNKNOWN"
},
"title": "Zitadel Expired JWT Keys Usable for Authorization Grants"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31123",
"datePublished": "2025-03-31T19:31:40.507Z",
"dateReserved": "2025-03-26T15:04:52.626Z",
"dateUpdated": "2025-03-31T22:38:38.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27507 (GCVE-0-2025-27507)
Vulnerability from cvelistv5 – Published: 2025-03-04 16:43 – Updated: 2025-03-12 21:11
VLAI?
Title
IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations
Summary
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8.
Severity ?
9 (Critical)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zitadel | zitadel |
Affected:
>= 2.63.0-rc.1, < 2.63.8
Affected: >= 2.64.0-rc.1, < 2.64.5 Affected: >= 2.66.0-rc.1, < 2.66.11 Affected: >= 2.67.0-rc.1, < 2.67.8 Affected: >= 2.68.0-rc.1, < 2.68.4 Affected: >= 2.69.0-rc.1, < 2.69.4 Affected: >= 2.70.0-rc.1, < 2.70.1 Affected: >= 2.65.0-rc.1, < 2.65.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T17:05:51.380213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T21:11:10.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.63.0-rc.1, \u003c 2.63.8"
},
{
"status": "affected",
"version": "\u003e= 2.64.0-rc.1, \u003c 2.64.5"
},
{
"status": "affected",
"version": "\u003e= 2.66.0-rc.1, \u003c 2.66.11"
},
{
"status": "affected",
"version": "\u003e= 2.67.0-rc.1, \u003c 2.67.8"
},
{
"status": "affected",
"version": "\u003e= 2.68.0-rc.1, \u003c 2.68.4"
},
{
"status": "affected",
"version": "\u003e= 2.69.0-rc.1, \u003c 2.69.4"
},
{
"status": "affected",
"version": "\u003e= 2.70.0-rc.1, \u003c 2.70.1"
},
{
"status": "affected",
"version": "\u003e= 2.65.0-rc.1, \u003c 2.65.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL\u0027s Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T16:43:22.529Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x"
},
{
"name": "https://github.com/zitadel/zitadel/commit/d9d8339813f1c43d3eb7d8d80f11fdabb2fd2ee4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/d9d8339813f1c43d3eb7d8d80f11fdabb2fd2ee4"
}
],
"source": {
"advisory": "GHSA-f3gh-529w-v32x",
"discovery": "UNKNOWN"
},
"title": "IDOR Vulnerabilities in ZITADEL\u0027s Admin API that Primarily Impact LDAP Configurations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27507",
"datePublished": "2025-03-04T16:43:22.529Z",
"dateReserved": "2025-02-26T18:11:52.305Z",
"dateUpdated": "2025-03-12T21:11:10.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49757 (GCVE-0-2024-49757)
Vulnerability from cvelistv5 – Published: 2024-10-25 14:22 – Updated: 2024-10-25 16:14
VLAI?
Title
Zitadel User Registration Bypass Vulnerability
Summary
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.
Severity ?
7.5 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49757",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T15:04:07.205517Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T16:14:16.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.63, \u003c 2.63.5"
},
{
"status": "affected",
"version": "\u003e= 2.62, \u003c 2.62.7"
},
{
"status": "affected",
"version": "\u003e= 2.61, \u003c 2.61.3"
},
{
"status": "affected",
"version": "\u003e= 2.60, \u003c 2.60.3"
},
{
"status": "affected",
"version": "\u003e= 2.59, \u003c 2.59.4"
},
{
"status": "affected",
"version": "\u003c 2.58.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the \"User Registration allowed\" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:22:49.500Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.58.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.58.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.59.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.59.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.60.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.60.4"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.61.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.61.4"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.62.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.62.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.63.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.64.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.0"
}
],
"source": {
"advisory": "GHSA-3rmw-76m6-4gjc",
"discovery": "UNKNOWN"
},
"title": "Zitadel User Registration Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49757",
"datePublished": "2024-10-25T14:22:49.500Z",
"dateReserved": "2024-10-18T13:43:23.454Z",
"dateUpdated": "2024-10-25T16:14:16.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49753 (GCVE-0-2024-49753)
Vulnerability from cvelistv5 – Published: 2024-10-25 14:11 – Updated: 2024-10-25 16:17
VLAI?
Title
Denied Host Validation Bypass in Zitadel Actions
Summary
Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.
Severity ?
5.9 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.64.1",
"status": "affected",
"version": "2.64",
"versionType": "custom"
},
{
"lessThan": "2.63.6",
"status": "affected",
"version": "2.63",
"versionType": "custom"
},
{
"lessThan": "2.62.8",
"status": "affected",
"version": "2.62",
"versionType": "custom"
},
{
"lessThan": "2.61.4",
"status": "affected",
"version": "2.61",
"versionType": "custom"
},
{
"lessThan": "2.60.4",
"status": "affected",
"version": "2.60",
"versionType": "custom"
},
{
"lessThan": "2.59.5",
"status": "affected",
"version": "2.59",
"versionType": "custom"
},
{
"lessThan": "2.58.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T15:04:29.564973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T16:17:38.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.64, \u003c 2.64.1"
},
{
"status": "affected",
"version": "\u003e= 2.63, \u003c 2.63.6"
},
{
"status": "affected",
"version": "\u003e= 2.62, \u003c 2.62.8"
},
{
"status": "affected",
"version": "\u003e= 2.61, \u003c 2.61.4"
},
{
"status": "affected",
"version": "\u003e= 2.60, \u003c 2.60.4"
},
{
"status": "affected",
"version": "\u003e= 2.59, \u003c 2.59.5"
},
{
"status": "affected",
"version": "\u003c 2.58.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T14:11:44.092Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.58.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.58.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.59.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.59.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.60.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.60.4"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.61.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.61.4"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.62.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.62.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.63.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.6"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.64.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.1"
}
],
"source": {
"advisory": "GHSA-6cf5-w9h3-4rqv",
"discovery": "UNKNOWN"
},
"title": "Denied Host Validation Bypass in Zitadel Actions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49753",
"datePublished": "2024-10-25T14:11:44.092Z",
"dateReserved": "2024-10-18T13:43:23.451Z",
"dateUpdated": "2024-10-25T16:17:38.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46999 (GCVE-0-2024-46999)
Vulnerability from cvelistv5 – Published: 2024-09-19 23:11 – Updated: 2024-09-20 15:44
VLAI?
Title
User Grant Deactivation not Working in Zitadel
Summary
Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore.
Severity ?
7.3 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.54.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.55.8",
"status": "affected",
"version": "2.55.0",
"versionType": "custom"
},
{
"lessThan": "2.56.6",
"status": "affected",
"version": "2.56.0",
"versionType": "custom"
},
{
"lessThan": "2.57.5",
"status": "affected",
"version": "2.57.0",
"versionType": "custom"
},
{
"lessThan": "2.58.5",
"status": "affected",
"version": "2.58.0",
"versionType": "custom"
},
{
"lessThan": "2.59.3",
"status": "affected",
"version": "2.59.0",
"versionType": "custom"
},
{
"lessThan": "2.60.2",
"status": "affected",
"version": "2.60.0",
"versionType": "custom"
},
{
"lessThan": "2.61.1",
"status": "affected",
"version": "2.61.0",
"versionType": "custom"
},
{
"lessThan": "2.62.1",
"status": "affected",
"version": "2.62.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:42:37.629006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T15:44:42.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.62.1"
},
{
"status": "affected",
"version": "\u003e= 2.61.0, \u003c 2.61.1"
},
{
"status": "affected",
"version": "\u003e= 2.60.0, \u003c 2.60.2"
},
{
"status": "affected",
"version": "\u003e= 2.59.0, \u003c 2.59.3"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.5"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.6"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.8"
},
{
"status": "affected",
"version": "\u003c 2.54.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. ZITADEL\u0027s user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T23:11:48.256Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5"
}
],
"source": {
"advisory": "GHSA-2w5j-qfvw-2hf5",
"discovery": "UNKNOWN"
},
"title": "User Grant Deactivation not Working in Zitadel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-46999",
"datePublished": "2024-09-19T23:11:48.256Z",
"dateReserved": "2024-09-16T16:10:09.022Z",
"dateUpdated": "2024-09-20T15:44:42.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47000 (GCVE-0-2024-47000)
Vulnerability from cvelistv5 – Published: 2024-09-19 23:10 – Updated: 2024-09-20 15:42
VLAI?
Title
Service Users Deactivation not Working in Zitadel
Summary
Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account's password.
Severity ?
8.1 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.54.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.55.8",
"status": "affected",
"version": "2.55.0",
"versionType": "custom"
},
{
"lessThan": "2.56.6",
"status": "affected",
"version": "2.56.0",
"versionType": "custom"
},
{
"lessThan": "2.57.5",
"status": "affected",
"version": "2.57.0",
"versionType": "custom"
},
{
"lessThan": "2.58.5",
"status": "affected",
"version": "2.58.0",
"versionType": "custom"
},
{
"lessThan": "2.59.3",
"status": "affected",
"version": "2.59.0",
"versionType": "custom"
},
{
"lessThan": "2.60.2",
"status": "affected",
"version": "2.60.0",
"versionType": "custom"
},
{
"lessThan": "2.61.1",
"status": "affected",
"version": "2.61.0",
"versionType": "custom"
},
{
"lessThan": "2.62.1",
"status": "affected",
"version": "2.62.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47000",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:39:20.211544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T15:42:00.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.62.1"
},
{
"status": "affected",
"version": "\u003e= 2.61.0, \u003c 2.61.1"
},
{
"status": "affected",
"version": "\u003e= 2.60.0, \u003c 2.60.2"
},
{
"status": "affected",
"version": "\u003e= 2.59.0, \u003c 2.59.3"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.5"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.6"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.8"
},
{
"status": "affected",
"version": "\u003c 2.54.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. ZITADEL\u0027s user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account\u0027s password."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T23:10:33.882Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393"
}
],
"source": {
"advisory": "GHSA-qr2h-7pwm-h393",
"discovery": "UNKNOWN"
},
"title": "Service Users Deactivation not Working in Zitadel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47000",
"datePublished": "2024-09-19T23:10:33.882Z",
"dateReserved": "2024-09-16T16:10:09.022Z",
"dateUpdated": "2024-09-20T15:42:00.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47060 (GCVE-0-2024-47060)
Vulnerability from cvelistv5 – Published: 2024-09-19 23:08 – Updated: 2024-09-20 15:28
VLAI?
Title
Unauthorized Access After Organization or Project Deactivation in Zitadel
Summary
Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore.
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47060",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:27:59.964305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T15:28:08.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.62.0, \u003c 2.62.1"
},
{
"status": "affected",
"version": "\u003e= 2.61.0, \u003c 2.61.1"
},
{
"status": "affected",
"version": "\u003e= 2.60.0, \u003c 2.60.2"
},
{
"status": "affected",
"version": "\u003e= 2.59.0, \u003c 2.59.3"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.5"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.6"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.8"
},
{
"status": "affected",
"version": "\u003c 2.54.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization\u0027s lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T23:08:01.375Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8"
}
],
"source": {
"advisory": "GHSA-jj94-6f5c-65r8",
"discovery": "UNKNOWN"
},
"title": "Unauthorized Access After Organization or Project Deactivation in Zitadel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47060",
"datePublished": "2024-09-19T23:08:01.375Z",
"dateReserved": "2024-09-17T17:42:37.027Z",
"dateUpdated": "2024-09-20T15:28:08.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41953 (GCVE-0-2024-41953)
Vulnerability from cvelistv5 – Published: 2024-07-31 16:42 – Updated: 2024-08-01 13:48
VLAI?
Title
Zitadel improperly sanitizes HTML in emails and Console UI
Summary
Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker, without privileges, could send out altered notifications that are part of the registration processes. An attacker could create a malicious link, where the injected code would be rendered as part of the email. On the user's detail page, the username was also not sanitized and would also render HTML, giving an attacker the same vulnerability. While it was possible to inject HTML including javascript, the execution of such scripts would be prevented by most email clients and the Content Security Policy in Console UI. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8 2.53.9, and 2.52.3.
Severity ?
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T13:48:22.254696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T13:48:32.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.52.0, \u003c 2.52.3"
},
{
"status": "affected",
"version": "\u003e= 2.53.0, \u003c 2.53.9"
},
{
"status": "affected",
"version": "\u003e= 2.54.0, \u003c 2.54.8"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.2"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.1"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker, without privileges, could send out altered notifications that are part of the registration processes. An attacker could create a malicious link, where the injected code would be rendered as part of the email. On the user\u0027s detail page, the username was also not sanitized and would also render HTML, giving an attacker the same vulnerability. While it was possible to inject HTML including javascript, the execution of such scripts would be prevented by most email clients and the Content Security Policy in Console UI. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8 2.53.9, and 2.52.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T16:42:33.125Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v333-7h2p-5fhv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-v333-7h2p-5fhv"
},
{
"name": "https://github.com/zitadel/zitadel/commit/0e1f99e987b5851caec45a72660fe9f67e425747",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/0e1f99e987b5851caec45a72660fe9f67e425747"
},
{
"name": "https://github.com/zitadel/zitadel/commit/38da602ee1cfc35c0d7918c298fbfc3f3674133b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/38da602ee1cfc35c0d7918c298fbfc3f3674133b"
},
{
"name": "https://github.com/zitadel/zitadel/commit/4b59cac67bb89c1f3f84a2041dd273d11151d29f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/4b59cac67bb89c1f3f84a2041dd273d11151d29f"
},
{
"name": "https://github.com/zitadel/zitadel/commit/c1a3fc72dde16e987d8a09aa291e7c2edfc928f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/c1a3fc72dde16e987d8a09aa291e7c2edfc928f7"
},
{
"name": "https://github.com/zitadel/zitadel/commit/c353f82f89c6982c0888c6763363296cf4263cb2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/c353f82f89c6982c0888c6763363296cf4263cb2"
},
{
"name": "https://github.com/zitadel/zitadel/commit/d04ac6df8f2f0243e649b802a8bfa6176cef0923",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/d04ac6df8f2f0243e649b802a8bfa6176cef0923"
},
{
"name": "https://github.com/zitadel/zitadel/commit/f846616a3f022e88e3ea8cea05d3254ad86f1615",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/f846616a3f022e88e3ea8cea05d3254ad86f1615"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.52.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.52.3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.53.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.54.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.55.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.56.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.56.2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.57.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.57.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.58.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.58.1"
}
],
"source": {
"advisory": "GHSA-v333-7h2p-5fhv",
"discovery": "UNKNOWN"
},
"title": "Zitadel improperly sanitizes HTML in emails and Console UI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41953",
"datePublished": "2024-07-31T16:42:33.125Z",
"dateReserved": "2024-07-24T16:51:40.949Z",
"dateUpdated": "2024-08-01T13:48:32.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41952 (GCVE-0-2024-41952)
Vulnerability from cvelistv5 – Published: 2024-07-31 16:30 – Updated: 2024-07-31 17:36
VLAI?
Title
Zitadel has an "Ignoring unknown usernames" vulnerability
Summary
Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an account exist within ZITADEL, since the error message shows "object not found" instead of the generic error message. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, and 2.53.9.
Severity ?
5.3 (Medium)
CWE
- CWE-203 - Observable Discrepancy
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.53.9",
"status": "affected",
"version": "2.53.0",
"versionType": "custom"
},
{
"lessThan": "2.54.8",
"status": "affected",
"version": "2.54.0",
"versionType": "custom"
},
{
"lessThan": "2.55.5",
"status": "affected",
"version": "2.55.0",
"versionType": "custom"
},
{
"lessThan": "2.56.2",
"status": "affected",
"version": "2.56.0",
"versionType": "custom"
},
{
"lessThan": "2.57.1",
"status": "affected",
"version": "2.57.0",
"versionType": "custom"
},
{
"lessThan": "2.58.1",
"status": "affected",
"version": "2.58.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T17:32:41.126563Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T17:36:34.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.53.0, \u003c 2.53.9"
},
{
"status": "affected",
"version": "\u003e= 2.54.0, \u003c 2.54.8"
},
{
"status": "affected",
"version": "\u003e= 2.55.0, \u003c 2.55.5"
},
{
"status": "affected",
"version": "\u003e= 2.56.0, \u003c 2.56.2"
},
{
"status": "affected",
"version": "\u003e= 2.57.0, \u003c 2.57.1"
},
{
"status": "affected",
"version": "\u003e= 2.58.0, \u003c 2.58.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called \"Ignoring unknown usernames\" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn\u0027t exist and report \"Username or Password invalid\". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an account exist within ZITADEL, since the error message shows \"object not found\" instead of the generic error message. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, and 2.53.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203: Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T16:36:07.448Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-567v-6hmg-6qg7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-567v-6hmg-6qg7"
},
{
"name": "https://github.com/zitadel/zitadel/commit/0ab0c645ef914298c343fa39cccb1290aba48bf6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/0ab0c645ef914298c343fa39cccb1290aba48bf6"
},
{
"name": "https://github.com/zitadel/zitadel/commit/3c7d12834e32426416235b9e3374be0f4b9380b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/3c7d12834e32426416235b9e3374be0f4b9380b8"
},
{
"name": "https://github.com/zitadel/zitadel/commit/5c2526c98aafd1ba206be2fa4291b1d24c384f6d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/5c2526c98aafd1ba206be2fa4291b1d24c384f6d"
},
{
"name": "https://github.com/zitadel/zitadel/commit/8565d24fd8df5bd35294313cfbfcc2e15aea20e9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/8565d24fd8df5bd35294313cfbfcc2e15aea20e9"
},
{
"name": "https://github.com/zitadel/zitadel/commit/b0e71a81ef39667ce2a149ce037c1ca0edbe059d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/b0e71a81ef39667ce2a149ce037c1ca0edbe059d"
},
{
"name": "https://github.com/zitadel/zitadel/commit/fc1d415b8db5b8d481bb65206ce3fc944c0eecea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/fc1d415b8db5b8d481bb65206ce3fc944c0eecea"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.53.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.54.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.55.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.56.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.56.2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.57.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.57.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.58.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.58.1"
}
],
"source": {
"advisory": "GHSA-567v-6hmg-6qg7",
"discovery": "UNKNOWN"
},
"title": "Zitadel has an \"Ignoring unknown usernames\" vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41952",
"datePublished": "2024-07-31T16:30:22.811Z",
"dateReserved": "2024-07-24T16:51:40.949Z",
"dateUpdated": "2024-07-31T17:36:34.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39683 (GCVE-0-2024-39683)
Vulnerability from cvelistv5 – Published: 2024-07-03 19:20 – Updated: 2024-08-02 04:26
VLAI?
Title
ZITADEL Vulnerable to Session Information Leakage
Summary
ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available.
Severity ?
5.7 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.54.5",
"status": "affected",
"version": "2.54.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "2.55.0"
},
{
"lessThan": "2.53.8",
"status": "affected",
"version": "2.53.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39683",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-05T18:26:22.872833Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T16:54:43.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397"
},
{
"name": "https://github.com/zitadel/zitadel/issues/8213",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/issues/8213"
},
{
"name": "https://github.com/zitadel/zitadel/pull/8231",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/pull/8231"
},
{
"name": "https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04"
},
{
"name": "https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da"
},
{
"name": "https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73"
},
{
"name": "https://discord.com/channels/927474939156643850/1254096852937347153",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discord.com/channels/927474939156643850/1254096852937347153"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.53.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.54.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.55.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "= 2.55.0"
},
{
"status": "affected",
"version": "\u003e= 2.54.0, \u003c 2.54.5"
},
{
"status": "affected",
"version": "\u003e= 2.53.0, \u003c 2.53.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user\u0027s sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T19:20:08.880Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397"
},
{
"name": "https://github.com/zitadel/zitadel/issues/8213",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/issues/8213"
},
{
"name": "https://github.com/zitadel/zitadel/pull/8231",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/pull/8231"
},
{
"name": "https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04"
},
{
"name": "https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da"
},
{
"name": "https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73"
},
{
"name": "https://discord.com/channels/927474939156643850/1254096852937347153",
"tags": [
"x_refsource_MISC"
],
"url": "https://discord.com/channels/927474939156643850/1254096852937347153"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.53.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.53.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.54.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.54.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.55.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.55.1"
}
],
"source": {
"advisory": "GHSA-cvw9-c57h-3397",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Vulnerable to Session Information Leakage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39683",
"datePublished": "2024-07-03T19:20:08.880Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:15.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32967 (GCVE-0-2024-32967)
Vulnerability from cvelistv5 – Published: 2024-05-01 06:43 – Updated: 2024-08-02 02:27
VLAI?
Title
Zitadel exposes internal database user name and host information
Summary
Zitadel is an open source identity management system. In case ZITADEL could not connect to the database, connection information including db name, username and db host name could be returned to the user. This has been addressed in all supported release branches in a point release. There is no workaround since a patch is already available. Users are advised to upgrade.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.45.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.46.7",
"status": "affected",
"version": "2.46.0",
"versionType": "custom"
},
{
"lessThan": "2.47.10",
"status": "affected",
"version": "2.47.0",
"versionType": "custom"
},
{
"lessThan": "2.48.5",
"status": "affected",
"version": "2.48.0",
"versionType": "custom"
},
{
"lessThan": "2.49.5",
"status": "affected",
"version": "2.49.0",
"versionType": "custom"
},
{
"lessThan": "2.50.3",
"status": "affected",
"version": "2.50.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T17:12:34.287616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:39:20.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:27:53.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945"
},
{
"name": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.45.7"
},
{
"status": "affected",
"version": "\u003e= 2.46.0,\u003c 2.46.7"
},
{
"status": "affected",
"version": "\u003e= 2.47.0, \u003c 2.47.10"
},
{
"status": "affected",
"version": "\u003e= 2.48.0, \u003c 2.48.5"
},
{
"status": "affected",
"version": "\u003e= 2.49.0, \u003c 2.49.5"
},
{
"status": "affected",
"version": "\u003e= 2.50.0, \u003c 2.50.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. In case ZITADEL could not connect to the database, connection information including db name, username and db host name could be returned to the user. This has been addressed in all supported release branches in a point release. There is no workaround since a patch is already available. Users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T16:35:43.712Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-q5qj-x2h5-3945"
},
{
"name": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/commit/b918603b576d156a08b90917c14c2d019c82ffc6"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.10"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.49.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.3"
}
],
"source": {
"advisory": "GHSA-q5qj-x2h5-3945",
"discovery": "UNKNOWN"
},
"title": "Zitadel exposes internal database user name and host information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32967",
"datePublished": "2024-05-01T06:43:36.137Z",
"dateReserved": "2024-04-22T15:14:59.165Z",
"dateUpdated": "2024-08-02T02:27:53.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32868 (GCVE-0-2024-32868)
Vulnerability from cvelistv5 – Published: 2024-04-25 23:53 – Updated: 2024-08-05 16:54
VLAI?
Title
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
Summary
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T16:53:50.442182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T16:54:00.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.50.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-297",
"description": "CWE-297: Improper Validation of Certificate with Host Mismatch",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-25T23:53:37.235Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0"
}
],
"source": {
"advisory": "GHSA-7j7j-66cv-m239",
"discovery": "UNKNOWN"
},
"title": "ZITADEL\u0027s Improper Lockout Mechanism Leads to MFA Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32868",
"datePublished": "2024-04-25T23:53:37.235Z",
"dateReserved": "2024-04-19T14:07:11.229Z",
"dateUpdated": "2024-08-05T16:54:00.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29892 (GCVE-0-2024-29892)
Vulnerability from cvelistv5 – Published: 2024-03-27 19:59 – Updated: 2024-08-13 14:07
VLAI?
Title
ZITADEL's actions can overload reserved claims
Summary
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.
Severity ?
6.1 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.42.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.43.11",
"status": "affected",
"version": "2.43.0",
"versionType": "custom"
},
{
"lessThan": "2.44.7",
"status": "affected",
"version": "2.44.0",
"versionType": "custom"
},
{
"lessThan": "2.45.5",
"status": "affected",
"version": "2.45.0",
"versionType": "custom"
},
{
"lessThan": "2.46.5",
"status": "affected",
"version": "2.46.0",
"versionType": "custom"
},
{
"lessThan": "2.47.8",
"status": "affected",
"version": "2.47.0",
"versionType": "custom"
},
{
"lessThan": "2.48.3",
"status": "affected",
"version": "2.48.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:21:49.100701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T14:07:12.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.42.17"
},
{
"status": "affected",
"version": "\u003e= 2.43.0, \u003c 2.43.11"
},
{
"status": "affected",
"version": "\u003e= 2.44.0, \u003c 2.44.7"
},
{
"status": "affected",
"version": "\u003e= 2.45.0, \u003c 2.45.5"
},
{
"status": "affected",
"version": "\u003e= 2.46.0, \u003c 2.46.5"
},
{
"status": "affected",
"version": "\u003e= 2.47.0, \u003c 2.47.8"
},
{
"status": "affected",
"version": "\u003e= 2.48.0, \u003c 2.48.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-27T19:59:24.734Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
}
],
"source": {
"advisory": "GHSA-gp8g-f42f-95q2",
"discovery": "UNKNOWN"
},
"title": "ZITADEL\u0027s actions can overload reserved claims"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29892",
"datePublished": "2024-03-27T19:59:24.734Z",
"dateReserved": "2024-03-21T15:12:08.998Z",
"dateUpdated": "2024-08-13T14:07:12.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29891 (GCVE-0-2024-29891)
Vulnerability from cvelistv5 – Published: 2024-03-27 19:18 – Updated: 2024-08-02 01:17
VLAI?
Title
ZITADEL Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass
Summary
ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.
Severity ?
8.7 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:36:06.675259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:38.082Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.42.17"
},
{
"status": "affected",
"version": "\u003e= 2.43.0, \u003c 2.43.11"
},
{
"status": "affected",
"version": "\u003e= 2.44.0, \u003c 2.44.7"
},
{
"status": "affected",
"version": "\u003e= 2.45.0, \u003c 2.45.5"
},
{
"status": "affected",
"version": "\u003e= 2.46.0, \u003c 2.46.5"
},
{
"status": "affected",
"version": "\u003e= 2.47.0, \u003c 2.47.8"
},
{
"status": "affected",
"version": "\u003e= 2.48.0, \u003c 2.48.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim\u0027s account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-27T19:18:08.078Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
}
],
"source": {
"advisory": "GHSA-hr5w-cwwq-2v4m",
"discovery": "UNKNOWN"
},
"title": "ZITADEL Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29891",
"datePublished": "2024-03-27T19:18:08.078Z",
"dateReserved": "2024-03-21T15:12:08.998Z",
"dateUpdated": "2024-08-02T01:17:58.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28855 (GCVE-0-2024-28855)
Vulnerability from cvelistv5 – Published: 2024-03-18 21:46 – Updated: 2024-08-13 14:19
VLAI?
Title
ZITADEL vulnerable to improper HTML sanitization
Summary
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available.
Severity ?
8.1 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:56:58.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.41.15",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.41.15"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.15",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.15"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.41.15",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.42.15",
"status": "affected",
"version": "2.42.0",
"versionType": "custom"
},
{
"lessThan": "2.43.9",
"status": "affected",
"version": "2.43.0",
"versionType": "custom"
},
{
"lessThan": "2.44.3",
"status": "affected",
"version": "2.44.0",
"versionType": "custom"
},
{
"lessThan": "2.47.4",
"status": "affected",
"version": "2.47.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:2.45.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "2.45.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:2.46.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "2.46.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-19T15:00:40.963408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T14:19:08.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.41.15"
},
{
"status": "affected",
"version": "\u003e= 2.42.0, \u003c 2.42.15"
},
{
"status": "affected",
"version": "\u003e= 2.43.0, \u003c 2.43.9"
},
{
"status": "affected",
"version": "\u003e= 2.44.0, \u003c 2.44.3"
},
{
"status": "affected",
"version": "= 2.45.0"
},
{
"status": "affected",
"version": "= 2.46.0"
},
{
"status": "affected",
"version": "\u003e= 2.47.0, \u003c 2.47.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the `text/template` instead of the `html/template` package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15. An attacker could create a malicious link, where he injected code which would be rendered as part of the login screen. While it was possible to inject HTML including JavaScript, the execution of such scripts would be prevented by the Content Security Policy. Versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and 2.41.15 contain a patch for this issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-18T21:46:47.314Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hfrg-4jwr-jfpj"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.41.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.41.15"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.42.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.15"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.43.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.9"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.44.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.3"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.45.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.46.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.1"
},
{
"name": "https://github.com/zitadel/zitadel/releases/tag/v2.47.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.3"
}
],
"source": {
"advisory": "GHSA-hfrg-4jwr-jfpj",
"discovery": "UNKNOWN"
},
"title": "ZITADEL vulnerable to improper HTML sanitization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28855",
"datePublished": "2024-03-18T21:46:47.314Z",
"dateReserved": "2024-03-11T22:45:07.686Z",
"dateUpdated": "2024-08-13T14:19:08.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28197 (GCVE-0-2024-28197)
Vulnerability from cvelistv5 – Published: 2024-03-11 19:48 – Updated: 2024-08-26 18:14
VLAI?
Title
Account Takeover via Session Fixation in Zitadel [Bypassing MFA]
Summary
Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim’s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`.
Severity ?
7.5 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"lessThan": "2.44.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.45.1",
"status": "affected",
"version": "2.45.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T18:13:08.740406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T18:14:26.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.44.3"
},
{
"status": "affected",
"version": "\u003e= 2.45.0, \u003c 2.45.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim\u2019s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-11T19:48:11.008Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"
}
],
"source": {
"advisory": "GHSA-mq4x-r2w3-j7mr",
"discovery": "UNKNOWN"
},
"title": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA]"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28197",
"datePublished": "2024-03-11T19:48:11.008Z",
"dateReserved": "2024-03-06T17:35:00.860Z",
"dateUpdated": "2024-08-26T18:14:26.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49097 (GCVE-0-2023-49097)
Vulnerability from cvelistv5 – Published: 2023-11-30 04:45 – Updated: 2024-11-27 15:55
VLAI?
Title
ZITADEL vulnerable account takeover via malicious host header injection
Summary
ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.
Severity ?
8.1 (High)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:28.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T15:55:31.497684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T15:55:49.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zitadel",
"vendor": "zitadel",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.39.0, \u003c 2.39.9"
},
{
"status": "affected",
"version": "\u003e= 2.40.0, \u003c 2.40.10"
},
{
"status": "affected",
"version": "\u003e= 2.41.0, \u003c 2.41.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-30T04:45:49.675Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"
}
],
"source": {
"advisory": "GHSA-2wmj-46rj-qm2w",
"discovery": "UNKNOWN"
},
"title": "ZITADEL vulnerable account takeover via malicious host header injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49097",
"datePublished": "2023-11-30T04:45:49.675Z",
"dateReserved": "2023-11-21T18:57:30.430Z",
"dateUpdated": "2024-11-27T15:55:49.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}