CVE-2024-32868

Published: Apr 26, 2024Modified: Jan 8, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.

Affected (1)

Products: Zitadel: Zitadel

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zitadel Zitadel	Before 2.50.0

Related CWEs

Improper Validation of Certificate with Host Mismatch

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References (4)

https://github.com/zitadel/zitadel/releases/tag/v2.50.0

Source: security-advisories@github.com

Release Notes

https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239

Source: security-advisories@github.com

Vendor Advisory

https://github.com/zitadel/zitadel/releases/tag/v2.50.0

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.