GHSA-HR5W-CWWQ-2V4M

Vulnerability from github – Published: 2024-03-28 17:07 – Updated: 2025-01-08 20:47
VLAI?
Summary
ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass
Details

Impact

ZITADEL users can upload their own avatar image and various image types are allowed.

Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work.

The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code.

Patches

2.x versions are fixed on >= 2.48.3 2.47.x versions are fixed on >= 2.47.8 2.46.x versions are fixed on >= 2.46.5 2.45.x versions are fixed on >= 2.45.5 2.44.x versions are fixed on >= 2.44.7 2.43.x versions are fixed on >= 2.43.11 2.42.x versions are fixed on >= 2.42.17

ZITADEL recommends upgrading to the latest versions available in due course.

Workarounds

There is no workaround since a patch is already available.

References

None

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.

Severity ?
8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
8.3 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.42.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.43.0"
            },
            {
              "fixed": "2.43.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.44.0"
            },
            {
              "fixed": "2.44.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.45.0"
            },
            {
              "fixed": "2.45.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.46.0"
            },
            {
              "fixed": "2.46.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.47.0"
            },
            {
              "fixed": "2.47.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.48.0"
            },
            {
              "fixed": "2.48.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-28T17:07:33Z",
    "nvd_published_at": "2024-03-27T20:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nZITADEL users can upload their own avatar image and various image types are allowed.\n\nDue to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim\u0027s account in certain scenarios.\nA possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work.\n\nThe exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code.\n\n### Patches\n\n2.x versions are fixed on \u003e= [2.48.3](https://github.com/zitadel/zitadel/releases/tag/v2.48.3)\n2.47.x versions are fixed on \u003e= [2.47.8](https://github.com/zitadel/zitadel/releases/tag/v2.47.8)\n2.46.x versions are fixed on \u003e= [2.46.5](https://github.com/zitadel/zitadel/releases/tag/v2.46.5)\n2.45.x versions are fixed on \u003e= [2.45.5](https://github.com/zitadel/zitadel/releases/tag/v2.45.5)\n2.44.x versions are fixed on \u003e= [2.44.7](https://github.com/zitadel/zitadel/releases/tag/v2.44.7)\n2.43.x versions are fixed on \u003e= [2.43.11](https://github.com/zitadel/zitadel/releases/tag/v2.43.11)\n2.42.x versions are fixed on \u003e= [2.42.17](https://github.com/zitadel/zitadel/releases/tag/v2.42.17)\n\nZITADEL recommends upgrading to the latest versions available in due course.\n\n### Workarounds\n\nThere is no workaround since a patch is already available.\n\n### References\n\nNone\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to Amit Laish \u2013 GE Vernova for finding and reporting the vulnerability.\n",
  "id": "GHSA-hr5w-cwwq-2v4m",
  "modified": "2025-01-08T20:47:00Z",
  "published": "2024-03-28T17:07:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29891"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.42.17"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.43.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.44.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.45.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.46.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.47.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.48.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ZITADEL\u0027s Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.