CVE-2024-46999
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Summary
Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grants to make sure the user does not get access anymore.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| zitadel | zitadel | >= 2.62.0, < 2.62.1 | affected |
| zitadel | zitadel | >= 2.61.0, < 2.61.1 | affected |
| zitadel | zitadel | >= 2.60.0, < 2.60.2 | affected |
| zitadel | zitadel | >= 2.59.0, < 2.59.3 | affected |
| zitadel | zitadel | >= 2.58.0, < 2.58.5 | affected |
| zitadel | zitadel | >= 2.57.0, < 2.57.5 | affected |
| zitadel | zitadel | >= 2.56.0, < 2.56.6 | affected |
| zitadel | zitadel | >= 2.55.0, < 2.55.8 | affected |
| zitadel | zitadel | < 2.54.10 | affected |
Weaknesses
- CWE-269: CWE-269: Improper Privilege Management
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.