CVE-2024-29892 in Zitadelinfo

Summary

by MITRE • 03/27/2024

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/09/2025

The vulnerability identified as CVE-2024-29892 affects ZITADEL, an open source authentication management platform built using Go templating for login UI rendering. This authentication system implements a sophisticated claims-based identity model where user attributes are managed through structured URN identifiers following the pattern urn:zitadel:iam:user:resourceowner:name. The core issue stems from insufficient validation mechanisms that allow malicious actors to manipulate reserved claim namespaces through action execution processes. When actions execute within the ZITADEL environment, they can potentially modify claims that are normally protected and managed exclusively by the system itself.

The technical flaw represents a privilege escalation vulnerability that exploits the template rendering system's insufficient input validation for claim modification operations. Specifically, the system fails to properly sanitize user-supplied actions that attempt to set claims beginning with the reserved namespace urn:zitadel:iam, which should be immutable and exclusively managed by the authentication system. This oversight creates a path where unauthorized modifications can occur to critical identity attributes that define user relationships and resource ownership within the ZITADEL ecosystem.

The operational impact of this vulnerability extends beyond simple data integrity concerns as it enables attackers to manipulate fundamental identity claims that govern access control decisions. By compromising claims such as urn:zitadel:iam:user:resourceowner:name, adversaries could potentially alter user resource ownership relationships, bypass authentication controls, and gain unauthorized access to protected resources. This vulnerability directly affects the core authentication and authorization mechanisms that ZITADEL relies upon to maintain secure identity management, potentially allowing privilege escalation attacks and unauthorized resource access.

The vulnerability was addressed through version updates that introduced enhanced claim validation mechanisms specifically designed to prevent modification of reserved namespaces beginning with urn:zitadel:iam. These patches implement stricter input validation at the action execution layer, ensuring that claims within protected namespaces cannot be altered by user actions or external inputs. The remediation aligns with security best practices for identity management systems and follows the principle of least privilege by maintaining strict boundaries around system-managed identity attributes. Organizations using ZITADEL should immediately upgrade to versions 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, or 2.42.17 to mitigate this risk. This vulnerability maps to CWE-20: Improper Input Validation and could be categorized under ATT&CK technique T1548.005: Server Software Component Compromise, representing a critical security weakness in identity management systems that requires immediate attention and remediation.

Responsible

GitHub, Inc.

Reservation

03/21/2024

Disclosure

03/27/2024

Moderation

accepted

CPE

ready

EPSS

0.00767

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!