PT-2024-28623 · Zitadel · Zitadel
Amirhoseinbrz
+3
·
Published
2024-07-03
·
Updated
2025-01-08
·
CVE-2024-39683
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
ZITADEL versions 2.0.0 through 2.53.7
ZITADEL versions 2.54.0 through 2.54.4
ZITADEL versions 2.55.0 through 2.55.0
Description
ZITADEL is an open-source identity infrastructure tool that provides users the ability to list all user sessions of the current user agent. Due to a missing check, user sessions without that information were incorrectly listed, exposing potentially other user's sessions. The issue affects the API and Console UI, but not the Login UI. There is no possibility to take over such a session.
Recommendations
For ZITADEL versions 2.0.0 through 2.53.7, upgrade to version 2.53.8 or later.
For ZITADEL versions 2.54.0 through 2.54.4, upgrade to version 2.54.5 or later.
For ZITADEL versions 2.55.0, upgrade to version 2.55.1 or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zitadel