CVE-2024-29892

Published: Mar 27, 2024Modified: Jan 8, 2025

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD

Description

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.

Affected (7)

Products: Zitadel: Zitadel

1 product

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Zitadel Zitadel	Before 2.42.17
Zitadel Zitadel	From 2.43.0 to 2.43.11
Zitadel Zitadel	From 2.44.0 to 2.44.7
Zitadel Zitadel	From 2.45.0 to 2.45.5
Zitadel Zitadel	From 2.46.0 to 2.46.5
Zitadel Zitadel	From 2.47.0 to 2.47.8
Zitadel Zitadel	From 2.48.0 to 2.48.3

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (16)

https://github.com/zitadel/zitadel/releases/tag/v2.42.17

Source: security-advisories@github.com

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.43.11

Source: security-advisories@github.com

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.44.7

Source: security-advisories@github.com

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.45.5

Source: security-advisories@github.com

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.46.5

Source: security-advisories@github.com

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.47.8

Source: security-advisories@github.com

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.48.3

Source: security-advisories@github.com

Release Notes

https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2

Source: security-advisories@github.com

Vendor Advisory

https://github.com/zitadel/zitadel/releases/tag/v2.42.17

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.43.11

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.44.7

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.45.5

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.46.5

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.47.8

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/zitadel/zitadel/releases/tag/v2.48.3

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.