Zitadel Fixes Cookie Vulnerability Affecting User Sessions
CVE-2024-28197

7.5HIGH

Key Information:

Vendor: Zitadel
Status: Zitadel
Vendor: CVE Published:; 11 March 2024

What is CVE-2024-28197?

Zitadel, an open-source identity management system, has a vulnerability involving its user session management through cookies. The vulnerability arises due to improper accessibility of cookies on subdomains of the Zitadel instance, which could allow attackers to exploit the situation by hosting malicious links. Affected users must navigate to the harmful link for the vulnerability to be leveraged, and the attack is contingent upon the availability of the user's cookie and a pre-existing weakness on a subdomain, such as a DNS compromise or a cross-site scripting issue. Zitadel has issued patches for versions 2.46.0, 2.45.1, and 2.44.3, and users are urged to update to the latest versions to mitigate the risk. It's important to note that applying the patch will result in session invalidation for users, necessitating a new user session initiation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

zitadel < 2.44.3 < 2.44.3

zitadel >= 2.45.0, < 2.45.1 < 2.45.0, 2.45.1

References

https://github.com/zitadel/zitadel/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 11, 2024
Vulnerability Reserved
Mar 6, 2024

JSON

Zitadel

What is CVE-2024-28197?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.