GoogleOSV:GHSA-6RRR-78XP-5JP8Zitadel RefreshToken invalidation vulnerability
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
45.0%
Impact
RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the userβs session without the need for interacting with a UI.
RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant.
When the locked or deactivated userβs session was already terminated (βlogged outβ) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration).
Patches
2.x versions are fixed on >= 2.17.3
2.16.x versions are fixed on >= 2.16.4
ZITADEL recommends upgrading to the latest versions available in due course.
Workarounds
Ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements.
References
https://zitadel.com/docs/guides/manage/console/instance-settings#oidc-token-lifetimes-and-expiration
References
github.com/zitadel/zitadel
github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83
github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2
github.com/zitadel/zitadel/releases/tag/v2.16.4
github.com/zitadel/zitadel/releases/tag/v2.17.3
github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8
nvd.nist.gov/vuln/detail/CVE-2023-22492
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
45.0%