Lucene search

[email protected]NVD:CVE-2023-44399

HistoryOct 10, 2023 - 5:15 p.m.

CVE-2023-44399

2023-10-1017:15:13

CWE-640

[email protected]

web.nvd.nist.gov

zitadel

identity

infrastructure

bug

versions

2.37.2

attackers

verify

account

existence

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

24.2%

JSON

ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called “Ignoring unknown usernames” which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.

Affected configurations

Nvd

Node

zitadelzitadelRange≤2.37.2

VendorProductVersionCPE
zitadelzitadel*cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zitadel	zitadel	*	cpe:2.3:a:zitadel:zitadel::::::::

References

github.com/zitadel/zitadel/releases/tag/v2.37.3

github.com/zitadel/zitadel/releases/tag/v2.38.0

github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

24.2%

JSON

Related for NVD:CVE-2023-44399

veracode1 osv2 cve1 vulnrichment1 prion1 cvelist1 github1