CVE-2024-47060

Name of the Vulnerable Software and Affected Versions Zitadel versions prior to 2.54.10 Zitadel versions from 2.55.0 through 2.55.7 Zitadel versions from 2.56.0 through 2.56.5 Zitadel versions from 2.57.0 through 2.57.4 Zitadel versions from 2.58.0 through 2.58.4 Zitadel versions from 2.59.0 through 2.59.2 Zitadel versions from 2.60.0 through 2.60.1 Zitadel versions from 2.61.0 through 2.61.0 Zitadel versions from 2.62.0 through 2.62.0

Description The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. This allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Users across other organizations can still log in and access through these applications, leading to unauthorized access.

Recommendations For versions prior to 2.54.10, upgrade to version 2.54.10 or later. For versions from 2.55.0 through 2.55.7, upgrade to version 2.55.8 or later. For versions from 2.56.0 through 2.56.5, upgrade to version 2.56.6 or later. For versions from 2.57.0 through 2.57.4, upgrade to version 2.57.5 or later. For versions from 2.58.0 through 2.58.4, upgrade to version 2.58.5 or later. For versions from 2.59.0 through 2.59.2, upgrade to version 2.59.3 or later. For versions from 2.60.0 through 2.60.1, upgrade to version 2.60.2 or later. For versions from 2.61.0 through 2.61.0, upgrade to version 2.61.1 or later. For versions from 2.62.0 through 2.62.0, upgrade to version 2.62.1 or later. As a temporary workaround, users unable to upgrade can explicitly disable the application to make sure the client is not allowed anymore.