Intermittent issues accessing Registry, Hub, Scout, DBC, DHI - We are seeing intermittent issues accessing and using our services across many of our products. See dockerstatus.com⁠ for updates.

CVE-2024-29892

ADVISORY - github

Summary

Impact

Under certain circumstances an action could set reserved claims managed by ZITADEL.

For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name

{"urn:zitadel:iam:user:resourceowner:name": "ACME"}

if it was not set by ZITADEL itself.

To compensate for this we introduced a protection that does prevent actions from changing claims that start with urn:zitadel:iam

Patches

2.x versions are fixed on >= 2.48.3 2.47.x versions are fixed on >= 2.47.8 2.46.x versions are fixed on >= 2.46.5 2.45.x versions are fixed on >= 2.45.5 2.44.x versions are fixed on >= 2.44.7 2.43.x versions are fixed on >= 2.43.11 2.42.x versions are fixed on >= 2.42.17

Workarounds

No workaround available since a patch is available

Credits

Many thanks to @schettn whose disclosure of another topic lead us to find this issue.

EPSS Score⁠: 0.00171 (0.389)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-863⁠

Incorrect Authorization

ADVISORY - github

CWE-863⁠

Incorrect Authorization

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-863⁠

Incorrect Authorization

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.