Sign In

CVE-2024-29892

ADVISORY - github

Summary

Impact

Under certain circumstances an action could set reserved claims managed by ZITADEL.

For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name

{"urn:zitadel:iam:user:resourceowner:name": "ACME"}

if it was not set by ZITADEL itself.

To compensate for this we introduced a protection that does prevent actions from changing claims that start with urn:zitadel:iam

Patches

2.x versions are fixed on >= 2.48.3 2.47.x versions are fixed on >= 2.47.8 2.46.x versions are fixed on >= 2.46.5 2.45.x versions are fixed on >= 2.45.5 2.44.x versions are fixed on >= 2.44.7 2.43.x versions are fixed on >= 2.43.11 2.42.x versions are fixed on >= 2.42.17

Workarounds

No workaround available since a patch is available

Credits

Many thanks to @schettn whose disclosure of another topic lead us to find this issue.

EPSS Score: 0.00171 (0.389)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-863

Incorrect Authorization

ADVISORY - github

CWE-863

Incorrect Authorization

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-863

Incorrect Authorization

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2024-29892
EXPLOITABILITY SCORE

0.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-863

CVSS SCORE

6.1medium

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-gp8g-f42f-95q2
EXPLOITABILITY SCORE

0.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-863

CVSS SCORE

8.3high

GoLang

CREATED

UPDATED

ADVISORY IDGO-2024-2664
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

GitLab

CREATED

UPDATED

ADVISORY ID

CVE-2024-29892

EXPLOITABILITY SCORE

0.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-863CWE-937

CVSS SCORE

6.1medium