Service Account Deactivation Issue in Zitadel Identify Management Platform

CVE-2024-47000

Summary

The Zitadel identity management platform contains a vulnerability in its user account deactivation mechanism specifically affecting service accounts. When service accounts are deactivated, they incorrectly retain the ability to request authentication tokens, which poses a risk of unauthorized access to applications and resources. This flaw affects several versions of Zitadel, including 2.62.1, 2.61.1, and prior releases. Zitadel has issued updates to rectify this issue, and users are strongly encouraged to upgrade immediately to secure their environments. As a temporary workaround, users unable to upgrade can create new credentials to replace the old ones and ensure that all associated authentication keys are revoked. It is essential to rotate the password for the service account to eliminate the risk of exploitation.

References