Lucene search

GoogleOSV:GO-2024-2637

HistoryJun 05, 2024 - 3:10 p.m.

Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel

2024-06-0515:10:52

Google

osv.dev

account takeover

zitadel

session fixation

multi-factor authentication

github

CVSS3

7.5

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

Percentile

9.0%

JSON

Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel.

NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)

The additional affected modules and versions are: github.com/zitadel/zitadel before v2.44.3, from v2.45.0 before v2.45.1.

References

github.com/zitadel/zitadel/commit/d4c553b75a214e41299af010ef4b26174a0f802c

github.com/zitadel/zitadel/commit/e82cb51eb819c6cdba8123c9c34c5739b46b29eb

github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr

nvd.nist.gov/vuln/detail/CVE-2024-28197

CVSS3

7.5

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

Percentile

9.0%

JSON

Related for OSV:GO-2024-2637