CVE-2024-29892

Name of the Vulnerable Software and Affected Versions ZITADEL versions prior to 2.42.17 ZITADEL versions 2.42.17 through 2.48.3

Description The issue arises from the use of Go templates to render the login UI in ZITADEL, allowing actions to set reserved claims under certain circumstances. For example, it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name. A protection has been introduced to prevent actions from changing claims that start with urn:zitadel:iam.

Recommendations For versions prior to 2.42.17, update to version 2.42.17 or later. For versions 2.42.17 through 2.43.10, update to version 2.43.11 or later. For versions 2.43.11 through 2.44.6, update to version 2.44.7 or later. For versions 2.44.7 through 2.45.4, update to version 2.45.5 or later. For versions 2.45.5 through 2.46.4, update to version 2.46.5 or later. For versions 2.46.5 through 2.47.7, update to version 2.47.8 or later. For versions 2.47.8 through 2.48.2, update to version 2.48.3 or later.