Zitadel up to 2.48.2 Avatar Image unrestricted upload

Summaryinfo

A vulnerability identified as critical has been detected in Zitadel up to 2.48.2. This affects an unknown part of the component Avatar Image Handler. This manipulation causes unrestricted upload. This vulnerability is tracked as CVE-2024-29891. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in Zitadel up to 2.48.2. Affected by this vulnerability is some unknown functionality of the component Avatar Image Handler. The manipulation with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434. The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in the browser, where a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.

The advisory is shared at github.com. This vulnerability is known as CVE-2024-29891 since 03/21/2024. The exploitation appears to be easy. The attack can be launched remotely. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1608.002 for this issue.

Upgrading to version 2.42.17, 2.43.11, 2.44.7, 2.45.5, 2.46.5, 2.47.8 or 2.48.3 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• Zitadel

Version

• 2.42.0
• 2.42.1
• 2.42.2
• 2.42.3
• 2.42.4
• 2.42.5
• 2.42.6
• 2.42.7
• 2.42.8
• 2.42.9
• 2.42.10
• 2.42.11
• 2.42.12
• 2.42.13
• 2.42.14
• 2.42.15
• 2.42.16
• 2.43.0
• 2.43.1
• 2.43.2
• 2.43.3
• 2.43.4
• 2.43.5
• 2.43.6
• 2.43.7
• 2.43.8
• 2.43.9
• 2.43.10
• 2.44.0
• 2.44.1
• 2.44.2
• 2.44.3
• 2.44.4
• 2.44.5
• 2.44.6
• 2.45.0
• 2.45.1
• 2.45.2
• 2.45.3
• 2.45.4
• 2.46.0
• 2.46.1
• 2.46.2
• 2.46.3
• 2.46.4
• 2.47.0
• 2.47.1
• 2.47.2
• 2.47.3
• 2.47.4
• 2.47.5
• 2.47.6
• 2.47.7
• 2.48.0
• 2.48.1
• 2.48.2

Website

• Product: https://github.com/zitadel/zitadel/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion