ZITADEL Fixes Issue Exposing Other Users' Sessions
CVE-2024-39683

6.5MEDIUM

Key Information:

Vendor
Zitadel
Status
Zitadel
Vendor
CVE Published:
3 July 2024

Summary

ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available.

Affected Version(s)

zitadel = 2.55.0 = 2.55.0

zitadel >= 2.54.0, < 2.54.5 < 2.54.0, 2.54.5

zitadel >= 2.53.0, < 2.53.8 < 2.53.0, 2.53.8

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/issues/8213
x_refsource_MISC
https://github.com/zitadel/zitadel/pull/8231
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.