Zitadel Disables User Self-Registration Due to Security Vulnerability
CVE-2024-49757

7.5HIGH

Key Information:

Vendor
Zitadel
Status
Zitadel
Vendor
CVE Published:
25 October 2024

Summary

A security issue in the Zitadel identity infrastructure software allows users to register despite administrative restrictions on self-registration. The flaw arises from a lack of proper security checks in certain versions (prior to 2.64.0, including versions 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7). While administrators can disable the user self-registration feature, this action only conceals the registration button on the login interface. Users can still circumvent these settings by directly accessing the specific registration URL (/ui/login/loginname), potentially compromising system security. To mitigate this vulnerability, it is advised to update to patched versions that secure the registration processes effectively, as there are no available workarounds.

Affected Version(s)

zitadel >= 2.63, < 2.63.5 < 2.63, 2.63.5

zitadel >= 2.62, < 2.62.7 < 2.62, 2.62.7

zitadel >= 2.61, < 2.61.3 < 2.61, 2.61.3

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/releases/tag/v2.58.7
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v2.59.5
x_refsource_MISC

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-49757 : Zitadel Disables User Self-Registration Due to Security Vulnerability | SecurityVulnerability.io