CVE-2024-39683
published 2024-07-03CVE-2024-39683: ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser)…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.61%
44.7th percentile
ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 2.0.0 < 2.53.8 | 2.53.8 |
| github.com | zitadel_zitadel | >= 2.54.0 < 2.54.5 | 2.54.5 |
| github.com | zitadel_zitadel | >= 2.55.0 < 2.55.1 | 2.55.1 |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | >= 2.53.0 < 2.53.8 | 2.53.8 |
| zitadel | zitadel | >= 2.54.0 < 2.54.5 | 2.54.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel
osv·2024-07-09
CVE-2024-39683 ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel
ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel
ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel from v2.0.0 before v2.53.8, from v2.54.0 before v2.54.5, from v2.55.0 before v2.55.1.
GHSA
ZITADEL Vulnerable to Session Information Leakage
ghsa·2024-07-05
CVE-2024-39683 [MEDIUM] CWE-200 ZITADEL Vulnerable to Session Information Leakage
ZITADEL Vulnerable to Session Information Leakage
### Impact
ZITADEL provides users the ability to list all user sessions of the current user agent (browser) by API and in the Console UI.
Due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions.
Note that the Login UI was never affected and there was no possibility to take over such a session.
### Patches
2.x versions are fixed on >= [2.55.1](https://github.com/zitadel/zitadel/releases/tag/v2.55.1)
2.54.x versions are fixed on >= [2.54.5](https://github.com/zitadel/zitadel/releases/tag/v2.54.5)
2.53.x versions are fixed on >= [2.53.8](https://github.com/zitadel/zitadel/releases/tag/v2.53.8)
ZITADEL recommends upgra
OSV
ZITADEL Vulnerable to Session Information Leakage
osv·2024-07-05
CVE-2024-39683 [MEDIUM] ZITADEL Vulnerable to Session Information Leakage
ZITADEL Vulnerable to Session Information Leakage
### Impact
ZITADEL provides users the ability to list all user sessions of the current user agent (browser) by API and in the Console UI.
Due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions.
Note that the Login UI was never affected and there was no possibility to take over such a session.
### Patches
2.x versions are fixed on >= [2.55.1](https://github.com/zitadel/zitadel/releases/tag/v2.55.1)
2.54.x versions are fixed on >= [2.54.5](https://github.com/zitadel/zitadel/releases/tag/v2.54.5)
2.53.x versions are fixed on >= [2.53.8](https://github.com/zitadel/zitadel/releases/tag/v2.53.8)
ZITADEL recommends upgra
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discord.com/channels/927474939156643850/1254096852937347153https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3dahttps://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73https://github.com/zitadel/zitadel/issues/8213https://github.com/zitadel/zitadel/pull/8231https://github.com/zitadel/zitadel/releases/tag/v2.53.8https://github.com/zitadel/zitadel/releases/tag/v2.54.5https://github.com/zitadel/zitadel/releases/tag/v2.55.1https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397https://discord.com/channels/927474939156643850/1254096852937347153https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3dahttps://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73https://github.com/zitadel/zitadel/issues/8213https://github.com/zitadel/zitadel/pull/8231https://github.com/zitadel/zitadel/releases/tag/v2.53.8https://github.com/zitadel/zitadel/releases/tag/v2.54.5https://github.com/zitadel/zitadel/releases/tag/v2.55.1https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397
2024-07-03
Published