Prdp1137

Name of the Vulnerable Software and Affected Versions: Zitadel versions prior to 2.64.1 Zitadel versions prior to 2.63.6 Zitadel versions prior to 2.62.8 Zitadel versions prior to 2.61.4 Zitadel versions prior to 2.60.4 Zitadel versions prior to 2.59.5 Zitadel versions prior to 2.58.7 Description: A flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The `isHostBlocked` check can be circumvented by creating a DNS record that resolves to 127.0.0.1, enabling actions to send requests to localhost despite the intended security measures. This potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Recommendations: Update to version 2.64.1 or later for the 2.x branch. Update to version 2.63.6 or later for the 2.63.x branch. Update to version 2.62.8 or later for the 2.62.x branch. Update to version 2.61.4 or later for the 2.61.x branch. Update to version 2.60.4 or later for the 2.60.x branch. Update to version 2.59.5 or later for the 2.59.x branch. Update to version 2.58.7 or later for the 2.58.x branch.

**Name of the Vulnerable Software and Affected Versions** Zitadel versions prior to 2.54.10 Zitadel versions from 2.55.0 through 2.55.7 Zitadel versions from 2.56.0 through 2.56.5 Zitadel versions from 2.57.0 through 2.57.4 Zitadel versions from 2.58.0 through 2.58.4 Zitadel versions from 2.59.0 through 2.59.2 Zitadel versions from 2.60.0 through 2.60.1 Zitadel versions from 2.61.0 through 2.61.0 Zitadel versions from 2.62.0 through 2.62.0 **Description** The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. This allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Users across other organizations can still log in and access through these applications, leading to unauthorized access. **Recommendations** For versions prior to 2.54.10, upgrade to version 2.54.10 or later. For versions from 2.55.0 through 2.55.7, upgrade to version 2.55.8 or later. For versions from 2.56.0 through 2.56.5, upgrade to version 2.56.6 or later. For versions from 2.57.0 through 2.57.4, upgrade to version 2.57.5 or later. For versions from 2.58.0 through 2.58.4, upgrade to version 2.58.5 or later. For versions from 2.59.0 through 2.59.2, upgrade to version 2.59.3 or later. For versions from 2.60.0 through 2.60.1, upgrade to version 2.60.2 or later. For versions from 2.61.0 through 2.61.0, upgrade to version 2.61.1 or later. For versions from 2.62.0 through 2.62.0, upgrade to version 2.62.1 or later. As a temporary workaround, users unable to upgrade can explicitly disable the application to make sure the client is not allowed anymore.