CVE-2024-32868
published 2024-04-26CVE-2024-32868: ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already…
PriorityP347high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.46%
36.3th percentile
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 2.50.0 | 2.50.0 |
| zitadel | zitadel | < 2.50.0 | 2.50.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel
osv·2024-06-05
CVE-2024-32868 ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel before v2.50.0.
OSV
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
osv·2024-04-25
CVE-2024-32868 [HIGH] ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
### Impact
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email.
While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks.
### Patches
2.x versions are fixed on >= [2.50.0](https://github.com/zitadel/zitadel/releases/tag/v2.50.0)
### Workarounds
There is no workaround since a patch is already available.
### References
None
### Questions
If you have any questions or comments about this advisory, please email us at [[email protected]](mailto:[email protected])
### Credits
Thanks to Jack Moran from Layer 9 Information
GHSA
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
ghsa·2024-04-25
CVE-2024-32868 [HIGH] CWE-287 ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
### Impact
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email.
While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks.
### Patches
2.x versions are fixed on >= [2.50.0](https://github.com/zitadel/zitadel/releases/tag/v2.50.0)
### Workarounds
There is no workaround since a patch is already available.
### References
None
### Questions
If you have any questions or comments about this advisory, please email us at [[email protected]](mailto:[email protected])
### Credits
Thanks to Jack Moran from Layer 9 Information
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-04-26
Published