Identity Management System Vulnerability in Zitadel
CVE-2024-41952

5.3MEDIUM

Key Information:

Vendor
Zitadel
Status
Zitadel
Vendor
CVE Published:
31 July 2024

Summary

Zitadel, an open-source identity management system, has a vulnerability stemming from an implementation flaw related to the 'Ignoring unknown usernames' security setting. When enabled, this feature is intended to prevent username enumeration attacks by masking the existence of user accounts. However, due to a database call optimization change, the system may incorrectly disclose whether a username exists, stating 'object not found' instead of the intended generic error message. This flaw allows malicious actors to infer the existence of accounts within Zitadel, thus reducing the effectiveness of the security measure. The issue has been resolved in versions 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, and 2.53.9. For detailed information on the fixes, refer to the provided GitHub links.

Affected Version(s)

zitadel >= 2.53.0, < 2.53.9 < 2.53.0, 2.53.9

zitadel >= 2.54.0, < 2.54.8 < 2.54.0, 2.54.8

zitadel >= 2.55.0, < 2.55.5 < 2.55.0, 2.55.5

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/commit/0ab0c645ef91429...
x_refsource_MISC
https://github.com/zitadel/zitadel/commit/3c7d12834e32426...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.