GoogleOSV:GHSA-GP8G-F42F-95Q2ZITADEL's actions can overload reserved claims
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
13.0%
Impact
Under certain circumstances an action could set reserved claims managed by ZITADEL.
For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name
{"urn:zitadel:iam:user:resourceowner:name": "ACME"}
if it was not set by ZITADEL itself.
To compensate for this we introduced a protection that does prevent actions from changing claims that start with urn:zitadel:iam
Patches
2.x versions are fixed on >= 2.48.3
2.47.x versions are fixed on >= 2.47.8
2.46.x versions are fixed on >= 2.46.5
2.45.x versions are fixed on >= 2.45.5
2.44.x versions are fixed on >= 2.44.7
2.43.x versions are fixed on >= 2.43.11
2.42.x versions are fixed on >= 2.42.17
Workarounds
No workaround available since a patch is available
Credits
Many thanks to @schettn whose disclosure of another topic lead us to find this issue.
References
github.com/zitadel/zitadel
github.com/zitadel/zitadel/releases/tag/v2.42.17
github.com/zitadel/zitadel/releases/tag/v2.43.11
github.com/zitadel/zitadel/releases/tag/v2.44.7
github.com/zitadel/zitadel/releases/tag/v2.45.5
github.com/zitadel/zitadel/releases/tag/v2.46.5
github.com/zitadel/zitadel/releases/tag/v2.47.8
github.com/zitadel/zitadel/releases/tag/v2.48.3
github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2
nvd.nist.gov/vuln/detail/CVE-2024-29892
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
13.0%