Zitadel up to 2.62.0 Deactivation information disclosure

Summaryinfo

A vulnerability identified as problematic has been detected in Zitadel up to 2.62.0. Affected is an unknown function of the component Deactivation Handler. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2024-47060. It is possible to initiate the attack remotely. There is no exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Zitadel up to 2.62.0. It has been rated as problematic. This issue affects some unknown functionality of the component Deactivation Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. The summary by CVE is:

Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore.

The advisory is shared at github.com. The identification of this vulnerability is CVE-2024-47060 since 09/17/2024. The exploitation is known to be easy. The attack may be initiated remotely. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

Upgrading to version 2.54.10, 2.55.8, 2.56.6, 2.57.5, 2.58.5, 2.59.3, 2.60.2, 2.61.1 or 2.62.1 eliminates this vulnerability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Name

• Zitadel

Version

• 2.0
• 2.1
• 2.2
• 2.3
• 2.4
• 2.5
• 2.6
• 2.7
• 2.8
• 2.9
• 2.10
• 2.11
• 2.12
• 2.13
• 2.14
• 2.15
• 2.16
• 2.17
• 2.18
• 2.19
• 2.20
• 2.21
• 2.22
• 2.23
• 2.24
• 2.25
• 2.26
• 2.27
• 2.28
• 2.29
• 2.30
• 2.31
• 2.32
• 2.33
• 2.34
• 2.35
• 2.36
• 2.37
• 2.38
• 2.39
• 2.40
• 2.41
• 2.42
• 2.43
• 2.44
• 2.45
• 2.46
• 2.47
• 2.48
• 2.49
• 2.50
• 2.51
• 2.52
• 2.53
• 2.54
• 2.54.0
• 2.54.1
• 2.54.2
• 2.54.3
• 2.54.4
• 2.54.5
• 2.54.6
• 2.54.7
• 2.54.8
• 2.54.9
• 2.55
• 2.55.0
• 2.55.1
• 2.55.2
• 2.55.3
• 2.55.4
• 2.55.5
• 2.55.6
• 2.55.7
• 2.56
• 2.56.0
• 2.56.1
• 2.56.2
• 2.56.3
• 2.56.4
• 2.56.5
• 2.57
• 2.57.0
• 2.57.1
• 2.57.2
• 2.57.3
• 2.57.4
• 2.58
• 2.58.0
• 2.58.1
• 2.58.2
• 2.58.3
• 2.58.4
• 2.59
• 2.59.0
• 2.59.1
• 2.59.2
• 2.60
• 2.60.0
• 2.60.1
• 2.61
• 2.61.0
• 2.62.0

Website

• Product: https://github.com/zitadel/zitadel/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion