CVE-2024-47000

Name of the Vulnerable Software and Affected Versions Zitadel versions prior to 2.54.10 Zitadel versions 2.55.0 through 2.55.7 Zitadel versions 2.56.0 through 2.56.5 Zitadel versions 2.57.0 through 2.57.4 Zitadel versions 2.58.0 through 2.58.4 Zitadel versions 2.59.0 through 2.59.2 Zitadel versions 2.60.0 through 2.60.1 Zitadel versions 2.61.0 through 2.61.0 Zitadel versions 2.62.0 through 2.62.0

Description Zitadel's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources.

Recommendations Upgrade to version 2.54.10 or later. For versions prior to 2.54.10, consider creating new credentials and replacing the old ones wherever they are used. Revoke all existing authentication keys associated with the service account. Rotate the service account's password. At the moment, there is no information about other versions that contain a fix for this vulnerability.