CVE-2023-47111

Name of the Vulnerable Software and Affected Versions ZITADEL versions prior to 2.38.3 ZITADEL versions prior to 2.40.5

Description ZITADEL provides identity infrastructure, allowing administrators to define a Lockout Policy with a maximum amount of failed password check attempts. In the affected implementation, an attacker could start multiple parallel password checks, attempting more combinations than configured in the Lockout Policy. This allowed the attacker to exceed the lockout limit, potentially leading to unauthorized access.

Recommendations For versions prior to 2.38.3, update to version 2.38.3 or later. For versions prior to 2.40.5, update to version 2.40.5 or later. As a temporary workaround is not applicable since a patch is already available, ensure to apply the patch as soon as possible to prevent exploitation.