CVE-2024-49753

Summary

Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.

Affected Software

VendorProductVersion RangeStatus
zitadelzitadel>= 2.64, < 2.64.1affected
zitadelzitadel>= 2.63, < 2.63.6affected
zitadelzitadel>= 2.62, < 2.62.8affected
zitadelzitadel>= 2.61, < 2.61.4affected
zitadelzitadel>= 2.60, < 2.60.4affected
zitadelzitadel>= 2.59, < 2.59.5affected
zitadelzitadel< 2.58.7affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References