CVE-2024-49757

Name of the Vulnerable Software and Affected Versions: Zitadel versions prior to 2.64.0 Zitadel versions prior to 2.63.5 Zitadel versions prior to 2.62.7 Zitadel versions prior to 2.61.4 Zitadel versions prior to 2.60.4 Zitadel versions prior to 2.59.5 Zitadel versions prior to 2.58.7

Description: The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way.

Recommendations: Update to version 2.64.0 or later for the 2.x branch. Update to version 2.63.5 or later for the 2.63.x branch. Update to version 2.62.7 or later for the 2.62.x branch. Update to version 2.61.4 or later for the 2.61.x branch. Update to version 2.60.4 or later for the 2.60.x branch. Update to version 2.59.5 or later for the 2.59.x branch. Update to version 2.58.7 or later for the 2.58.x branch.