ZITADEL Patches (T)OTP Check Lockout Mechanism in Version 2.50.0
CVE-2024-32868

8.1HIGH

Key Information:

Vendor: Zitadel
Status: Zitadel
Vendor: CVE Published:; 26 April 2024

Summary

ZITADEL users may experience vulnerabilities related to Time-based One-Time Passwords (TOTP) and One-Time Passwords (OTP) sent via SMS and Email. Although administrators can set a lockout policy for failed password attempts, a similar mechanism was previously absent for TOTP checks. This oversight in security can lead to unauthorized access if exploited. This issue has been addressed and patched starting from version 2.50.0, enhancing the overall security framework for password verification processes.

Affected Version(s)

zitadel < 2.50.0

References

https://github.com/zitadel/zitadel/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/zitadel/zitadel/releases/tag/v2.50.0

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 26, 2024