CVE-2024-29892
published 2024-03-27CVE-2024-29892: ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved…
PriorityP426medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
0.77%
50.9th percentile
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 2.42.17 | 2.42.17 |
| github.com | zitadel_zitadel | >= 2.43.0 < 2.43.11 | 2.43.11 |
| github.com | zitadel_zitadel | >= 2.44.0 < 2.44.7 | 2.44.7 |
| github.com | zitadel_zitadel | >= 2.45.0 < 2.45.5 | 2.45.5 |
| github.com | zitadel_zitadel | >= 2.46.0 < 2.46.5 | 2.46.5 |
| github.com | zitadel_zitadel | >= 2.47.0 < 2.47.8 | 2.47.8 |
| github.com | zitadel_zitadel | >= 2.48.0 < 2.48.3 | 2.48.3 |
| zitadel | zitadel | < 2.42.17 | 2.42.17 |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | >= 2.43.0 < 2.43.11 | 2.43.11 |
| zitadel | zitadel | >= 2.44.0 < 2.44.7 | 2.44.7 |
| zitadel | zitadel | >= 2.45.0 < 2.45.5 | 2.45.5 |
| zitadel | zitadel | >= 2.46.0 < 2.46.5 | 2.46.5 |
| zitadel | zitadel | >= 2.47.0 < 2.47.8 | 2.47.8 |
| zitadel | zitadel | >= 2.48.0 < 2.48.3 | 2.48.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel
osv·2024-06-05
CVE-2024-29892 ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel
ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel
ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel before v2.42.17, from v2.43.0 before v2.43.11, from v2.44.0 before v2.44.7, from v2.45.0 before v2.45.5, from v2.46.0 before v2.46.5, from v2.47.0 before v2.47.8, from v2.48.0 before v2.48.3.
GHSA
ZITADEL's actions can overload reserved claims
ghsa·2024-03-28
CVE-2024-29892 [HIGH] CWE-863 ZITADEL's actions can overload reserved claims
ZITADEL's actions can overload reserved claims
### Impact
Under certain circumstances an action could set [reserved claims](https://zitadel.com/docs/apis/openidoauth/claims#reserved-claims) managed by ZITADEL.
For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`
```json
{"urn:zitadel:iam:user:resourceowner:name": "ACME"}
```
if it was not set by ZITADEL itself.
To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`
### Patches
2.x versions are fixed on >= [2.48.3](https://github.com/zitadel/zitadel/releases/tag/v2.48.3)
2.47.x versions are fixed on >= [2.47.8](https://github.com/zitadel/zitadel/releases/tag/v2.47.8)
2.46.x versions are fixed on >= [2.46.5](https://github
OSV
ZITADEL's actions can overload reserved claims
osv·2024-03-28
CVE-2024-29892 [HIGH] ZITADEL's actions can overload reserved claims
ZITADEL's actions can overload reserved claims
### Impact
Under certain circumstances an action could set [reserved claims](https://zitadel.com/docs/apis/openidoauth/claims#reserved-claims) managed by ZITADEL.
For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`
```json
{"urn:zitadel:iam:user:resourceowner:name": "ACME"}
```
if it was not set by ZITADEL itself.
To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`
### Patches
2.x versions are fixed on >= [2.48.3](https://github.com/zitadel/zitadel/releases/tag/v2.48.3)
2.47.x versions are fixed on >= [2.47.8](https://github.com/zitadel/zitadel/releases/tag/v2.47.8)
2.46.x versions are fixed on >= [2.46.5](https://github
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/zitadel/zitadel/releases/tag/v2.42.17https://github.com/zitadel/zitadel/releases/tag/v2.43.11https://github.com/zitadel/zitadel/releases/tag/v2.44.7https://github.com/zitadel/zitadel/releases/tag/v2.45.5https://github.com/zitadel/zitadel/releases/tag/v2.46.5https://github.com/zitadel/zitadel/releases/tag/v2.47.8https://github.com/zitadel/zitadel/releases/tag/v2.48.3https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2https://github.com/zitadel/zitadel/releases/tag/v2.42.17https://github.com/zitadel/zitadel/releases/tag/v2.43.11https://github.com/zitadel/zitadel/releases/tag/v2.44.7https://github.com/zitadel/zitadel/releases/tag/v2.45.5https://github.com/zitadel/zitadel/releases/tag/v2.46.5https://github.com/zitadel/zitadel/releases/tag/v2.47.8https://github.com/zitadel/zitadel/releases/tag/v2.48.3https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2
2024-03-27
Published