CVE-2024-32868

Summary

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a Lockout Policy with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.

Affected Software

VendorProductVersion RangeStatus
zitadelzitadel< 2.50.0affected

Weaknesses

  • CWE-307: CWE-307: Improper Restriction of Excessive Authentication Attempts
  • CWE-297: CWE-297: Improper Validation of Certificate with Host Mismatch

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References