CVE-2024-49757
published 2024-10-25CVE-2024-49757: The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in…
PriorityP431medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EXPLOIT
EPSS
2.57%
83.2th percentile
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | zitadel_zitadel | >= 0 < 2.58.7 | 2.58.7 |
| github.com | zitadel_zitadel | >= 2.59.0 < 2.59.5 | 2.59.5 |
| github.com | zitadel_zitadel | >= 2.60.0 < 2.60.4 | 2.60.4 |
| github.com | zitadel_zitadel | >= 2.61.0 < 2.61.4 | 2.61.4 |
| github.com | zitadel_zitadel | >= 2.62.0 < 2.62.7 | 2.62.7 |
| github.com | zitadel_zitadel | >= 2.63.0 < 2.63.5 | 2.63.5 |
| zitadel | zitadel | < 2.58.6 | 2.58.6 |
| zitadel | zitadel | < 2.58.7 | 2.58.7 |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | — | — |
| zitadel | zitadel | >= 2.59.0 < 2.59.5 | 2.59.5 |
| zitadel | zitadel | >= 2.60.0 < 2.60.4 | 2.60.4 |
| zitadel | zitadel | >= 2.61.0 < 2.61.4 | 2.61.4 |
| zitadel | zitadel | >= 2.62.0 < 2.62.7 | 2.62.7 |
| zitadel | zitadel | >= 2.63.0 < 2.63.5 | 2.63.5 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
User Registration Bypass in Zitadel in github.com/zitadel/zitadel
osv·2024-10-28
CVE-2024-49757 User Registration Bypass in Zitadel in github.com/zitadel/zitadel
User Registration Bypass in Zitadel in github.com/zitadel/zitadel
User Registration Bypass in Zitadel in github.com/zitadel/zitadel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/zitadel/zitadel before v2.58.7, from v2.59.0 before v2.59.5, from v2.60.0 before v2.60.4, from v2.61.0 before v2.61.4, from v2.62.0 before v2.62.7, from v2.63.0 before v2.63.5.
OSV
User Registration Bypass in Zitadel
osv·2024-10-25
CVE-2024-49757 [HIGH] User Registration Bypass in Zitadel
User Registration Bypass in Zitadel
### Impact
Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.63.4, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way.
### Patches
2.x versions are fixed on >= [2.64.0](https://github.com/zitadel/zitadel/releases/tag/v2.64.0)
2.63.x versions are fixed on >= [2.63.5](https://github.com/zitadel/zitadel/releases/tag/v2.63.5)
2.62.x versions are fixed on >= [2.62.7](https://github.com/zitadel/zitadel/releases/tag/v2.62.7)
2.61.x versions are fixed on >= [2.61.4](https://github.com/zitadel/zitadel/releases/
GHSA
User Registration Bypass in Zitadel
ghsa·2024-10-25
CVE-2024-49757 [HIGH] CWE-287 User Registration Bypass in Zitadel
User Registration Bypass in Zitadel
### Impact
Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.63.4, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way.
### Patches
2.x versions are fixed on >= [2.64.0](https://github.com/zitadel/zitadel/releases/tag/v2.64.0)
2.63.x versions are fixed on >= [2.63.5](https://github.com/zitadel/zitadel/releases/tag/v2.63.5)
2.62.x versions are fixed on >= [2.62.7](https://github.com/zitadel/zitadel/releases/tag/v2.62.7)
2.61.x versions are fixed on >= [2.61.4](https://github.com/zitadel/zitadel/releases/
No detection rules found.
Nuclei
Zitadel - User Registration Bypass
nuclei·CVSS 4.9
CVE-2024-49757 [MEDIUM] Zitadel - User Registration Bypass
Zitadel - User Registration Bypass
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.
Template:
id: CVE-2024-49757
info:
name: Zitadel - User Registration Bypass
author: Sujal Tuladhar
severity: high
description: |
The open-source identity infrastructure software
No writeups or analysis indexed.
https://github.com/zitadel/zitadel/releases/tag/v2.58.7https://github.com/zitadel/zitadel/releases/tag/v2.59.5https://github.com/zitadel/zitadel/releases/tag/v2.60.4https://github.com/zitadel/zitadel/releases/tag/v2.61.4https://github.com/zitadel/zitadel/releases/tag/v2.62.7https://github.com/zitadel/zitadel/releases/tag/v2.63.5https://github.com/zitadel/zitadel/releases/tag/v2.64.0https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc
2024-10-25
Published