Zitadel up to 2.62.0 Deactivation privileges management

Summaryinfo

A vulnerability was found in Zitadel up to 2.62.0. It has been rated as critical. This affects an unknown function of the component Deactivation Handler. Performing a manipulation results in privileges management. This vulnerability is reported as CVE-2024-46999. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Zitadel up to 2.62.0. It has been classified as critical. This affects an unknown function of the component Deactivation Handler. The manipulation with an unknown input leads to a privileges management vulnerability. CWE is classifying the issue as CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore.

It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2024-46999 since 09/16/2024. The exploitability is told to be easy. It is possible to initiate the attack remotely. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.

Upgrading to version 2.54.10, 2.55.8, 2.56.6, 2.57.5, 2.58.5, 2.59.3, 2.60.2, 2.61.1 or 2.62.1 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Name

• Zitadel

Version

• 2.0
• 2.1
• 2.2
• 2.3
• 2.4
• 2.5
• 2.6
• 2.7
• 2.8
• 2.9
• 2.10
• 2.11
• 2.12
• 2.13
• 2.14
• 2.15
• 2.16
• 2.17
• 2.18
• 2.19
• 2.20
• 2.21
• 2.22
• 2.23
• 2.24
• 2.25
• 2.26
• 2.27
• 2.28
• 2.29
• 2.30
• 2.31
• 2.32
• 2.33
• 2.34
• 2.35
• 2.36
• 2.37
• 2.38
• 2.39
• 2.40
• 2.41
• 2.42
• 2.43
• 2.44
• 2.45
• 2.46
• 2.47
• 2.48
• 2.49
• 2.50
• 2.51
• 2.52
• 2.53
• 2.54
• 2.54.0
• 2.54.1
• 2.54.2
• 2.54.3
• 2.54.4
• 2.54.5
• 2.54.6
• 2.54.7
• 2.54.8
• 2.54.9
• 2.55
• 2.55.0
• 2.55.1
• 2.55.2
• 2.55.3
• 2.55.4
• 2.55.5
• 2.55.6
• 2.55.7
• 2.56
• 2.56.0
• 2.56.1
• 2.56.2
• 2.56.3
• 2.56.4
• 2.56.5
• 2.57
• 2.57.0
• 2.57.1
• 2.57.2
• 2.57.3
• 2.57.4
• 2.58
• 2.58.0
• 2.58.1
• 2.58.2
• 2.58.3
• 2.58.4
• 2.59
• 2.59.0
• 2.59.1
• 2.59.2
• 2.60
• 2.60.0
• 2.60.1
• 2.61
• 2.61.0
• 2.62.0

Website

• Product: https://github.com/zitadel/zitadel/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion