Zitadel Fixes Cookie Vulnerability Affecting User Sessions
CVE-2024-28197

7.5HIGH

Key Information:

Vendor: Zitadel
Status: Zitadel
Vendor: CVE Published:; 11 March 2024

Summary

Zitadel, an open-source identity management system, has a vulnerability involving its user session management through cookies. The vulnerability arises due to improper accessibility of cookies on subdomains of the Zitadel instance, which could allow attackers to exploit the situation by hosting malicious links. Affected users must navigate to the harmful link for the vulnerability to be leveraged, and the attack is contingent upon the availability of the user's cookie and a pre-existing weakness on a subdomain, such as a DNS compromise or a cross-site scripting issue. Zitadel has issued patches for versions 2.46.0, 2.45.1, and 2.44.3, and users are urged to update to the latest versions to mitigate the risk. It's important to note that applying the patch will result in session invalidation for users, necessitating a new user session initiation.

Affected Version(s)

zitadel < 2.44.3 < 2.44.3

zitadel >= 2.45.0, < 2.45.1 < 2.45.0, 2.45.1

References

https://github.com/zitadel/zitadel/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 11, 2024
Vulnerability Reserved
Mar 6, 2024