PT-2023-29231 · Zitadel · Zitadel

Hoseph

Published

2023-10-10

Updated

2023-10-23

CVE-2023-44399

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions ZITADEL versions 2.37.2 and prior

Description ZITADEL provides identity infrastructure. The issue arises from the "Ignoring unknown usernames" setting, which is intended to mitigate attacks that try to guess or enumerate usernames. Although this setting works correctly during the authentication process, it fails to work as expected on the password reset flow. As a result, even with this feature active, an attacker can use the password reset function to verify if an account exists within ZITADEL.

Recommendations For ZITADEL versions 2.37.2 and prior, update to version 2.37.3 or 2.38.0 to resolve the issue. As a temporary workaround, consider restricting access to the password reset function until the update is applied.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-640

Related Identifiers

CVE-2023-44399

GHSA-V683-RCXX-VPFF

Affected Products

Zitadel

PT-2023-29231 · Zitadel · Zitadel

CVE-2023-44399

Weakness Enumeration

Related Identifiers

Affected Products

References · 9