FKIE_CVE-2022-36051

Vulnerability from fkie_nvd - Published: 2022-08-31 23:15 - Updated: 2024-11-21 07:12
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update.
References
security-advisories@github.comhttps://github.com/zitadel/zitadel/releases/tag/v1.87.1Third Party Advisory
security-advisories@github.comhttps://github.com/zitadel/zitadel/releases/tag/v2.2.0Patch, Release Notes, Third Party Advisory
security-advisories@github.comhttps://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2cThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/zitadel/zitadel/releases/tag/v1.87.1Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/zitadel/zitadel/releases/tag/v2.2.0Patch, Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2cThird Party Advisory
Impacted products
Vendor Product Version
zitadel zitadel *
zitadel zitadel *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "21639E9B-F9C6-4154-A621-5EB699AA2F2F",
              "versionEndExcluding": "1.87.1",
              "versionStartIncluding": "1.42.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "74BEE341-A883-47DE-A2B1-E62F55AFCC90",
              "versionEndExcluding": "2.2.0",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update."
    },
    {
      "lang": "es",
      "value": "ZITADEL combina la facilidad de Auth0 y la versatilidad de Keycloak.**Acciones**, introducido en ZITADEL versi\u00f3n **1.42.0** en la API y versi\u00f3n **1.56.0** para la Consola, es una caracter\u00edstica, donde los usuarios con rol.\"ORG_OWNER\" son capaces de crear C\u00f3digo Javascript, que es invocado por el sistema en ciertos puntos durante el login. Las **Acciones**, por ejemplo, permiten crear autorizaciones (subvenciones a usuarios) en usuarios reci\u00e9n creados de forma program\u00e1tica. Debido a una falta de comprobaci\u00f3n de autorizaciones, las **Actions** pod\u00edan conceder autorizaciones a proyectos que pertenec\u00edan a otras organizaciones dentro de la misma Instancia. La concesi\u00f3n de autorizaciones por medio de la API y la consola no est\u00e1 afectada por esta vulnerabilidad. Actualmente no se presenta una mitigaci\u00f3n conocida, los usuarios deben actualizar"
    }
  ],
  "id": "CVE-2022-36051",
  "lastModified": "2024-11-21T07:12:16.227",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-08-31T23:15:08.097",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-436"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.