Zitadel up to 2.58.0 information exposure

Summaryinfo

A vulnerability has been found in Zitadel up to 2.58.0 and classified as problematic. Affected is an unknown function. This manipulation causes information exposure. This vulnerability appears as CVE-2024-41952. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Zitadel up to 2.58.0. It has been declared as problematic. Affected by this vulnerability is an unknown part. The manipulation with an unknown input leads to a information exposure vulnerability. The CWE definition for the vulnerability is CWE-203. The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. As an impact it is known to affect confidentiality. The summary by CVE is:

Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an account exist within ZITADEL, since the error message shows "object not found" instead of the generic error message. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, and 2.53.9.

It is possible to read the advisory at github.com. This vulnerability is known as CVE-2024-41952 since 07/24/2024. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

Upgrading to version 2.53.9, 2.54.8, 2.55.5, 2.56.2, 2.57.1 or 2.58.1 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Name

• Zitadel

Version

• 2.0
• 2.1
• 2.2
• 2.3
• 2.4
• 2.5
• 2.6
• 2.7
• 2.8
• 2.9
• 2.10
• 2.11
• 2.12
• 2.13
• 2.14
• 2.15
• 2.16
• 2.17
• 2.18
• 2.19
• 2.20
• 2.21
• 2.22
• 2.23
• 2.24
• 2.25
• 2.26
• 2.27
• 2.28
• 2.29
• 2.30
• 2.31
• 2.32
• 2.33
• 2.34
• 2.35
• 2.36
• 2.37
• 2.38
• 2.39
• 2.40
• 2.41
• 2.42
• 2.43
• 2.44
• 2.45
• 2.46
• 2.47
• 2.48
• 2.49
• 2.50
• 2.51
• 2.52
• 2.53
• 2.53.0
• 2.53.1
• 2.53.2
• 2.53.3
• 2.53.4
• 2.53.5
• 2.53.6
• 2.53.7
• 2.53.8
• 2.54
• 2.54.0
• 2.54.1
• 2.54.2
• 2.54.3
• 2.54.4
• 2.54.5
• 2.54.6
• 2.54.7
• 2.55
• 2.55.0
• 2.55.1
• 2.55.2
• 2.55.3
• 2.55.4
• 2.56
• 2.56.0
• 2.56.1
• 2.57
• 2.57.0
• 2.58.0

Website

• Product: https://github.com/zitadel/zitadel/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion