CVE-2024-29892

EUVD-2024-0928

27.03.2024, 20:15

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
GitHub_M	CNA	6.1 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Affected Products (NVD)

Vendor	Product	Version
zitadel	zitadel	𝑥 < 2.42.17
zitadel	zitadel	2.43.0 ≤ 𝑥 < 2.43.11
zitadel	zitadel	2.44.0 ≤ 𝑥 < 2.44.7
zitadel	zitadel	2.45.0 ≤ 𝑥 < 2.45.5
zitadel	zitadel	2.46.0 ≤ 𝑥 < 2.46.5
zitadel	zitadel	2.47.0 ≤ 𝑥 < 2.47.8
zitadel	zitadel	2.48.0 ≤ 𝑥 < 2.48.3