CVE-2024-46999

Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zitadel:zitadel:2.62.0:::::::*
	cpe:2.3:a:zitadel:zitadel:2.61.0:::::::*
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::

History

24 Sep 2024, 20:20

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
References	~~() https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5 -~~	() https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5 - Patch, Vendor Advisory
CWE	~~CWE-269~~	NVD-CWE-noinfo
CPE		cpe:2.3:a:zitadel:zitadel:2.62.0:::::::* cpe:2.3:a:zitadel:zitadel:2.61.0:::::::* cpe:2.3:a:zitadel:zitadel::::::::
First Time		Zitadel Zitadel zitadel

20 Sep 2024, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-20 00:15

Updated : 2024-09-24 20:20

NVD link : CVE-2024-46999

Mitre link : CVE-2024-46999

JSON object : View

Products Affected

zitadel

zitadel

CWE

NVD-CWE-noinfo

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5", "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5", "tags": ["Patch", "Vendor Advisory"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2024-46999", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}}, "publishedDate": "2024-09-20T00:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:zitadel:zitadel:2.62.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zitadel:zitadel:2.61.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.60.2", "versionStartIncluding": "2.60.0"}, {"cpe23Uri": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.59.3", "versionStartIncluding": "2.59.0"}, {"cpe23Uri": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.58.5", "versionStartIncluding": "2.58.0"}, {"cpe23Uri": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.57.5", "versionStartIncluding": "2.57.0"}, {"cpe23Uri": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.56.6", "versionStartIncluding": "2.56.0"}, {"cpe23Uri": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.55.8", "versionStartIncluding": "2.55.0"}, {"cpe23Uri": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.54.10"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2024-09-24T20:20Z"}