Zitadel Disables User Self-Registration Due to Security Vulnerability
CVE-2024-49757

7.5HIGH

Key Information:

Vendor

Zitadel

Status
Zitadel
Vendor
CVE Published:
25 October 2024

What is CVE-2024-49757?

A security issue in the Zitadel identity infrastructure software allows users to register despite administrative restrictions on self-registration. The flaw arises from a lack of proper security checks in certain versions (prior to 2.64.0, including versions 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7). While administrators can disable the user self-registration feature, this action only conceals the registration button on the login interface. Users can still circumvent these settings by directly accessing the specific registration URL (/ui/login/loginname), potentially compromising system security. To mitigate this vulnerability, it is advised to update to patched versions that secure the registration processes effectively, as there are no available workarounds.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

zitadel >= 2.63, < 2.63.5 < 2.63, 2.63.5

zitadel >= 2.62, < 2.62.7 < 2.62, 2.62.7

zitadel >= 2.61, < 2.61.3 < 2.61, 2.61.3

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/releases/tag/v2.58.7
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v2.59.5
x_refsource_MISC

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.