Lucene search

GoogleOSV:GO-2024-2788

HistoryJun 05, 2024 - 3:10 p.m.

ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel

2024-06-0515:10:52

Google

osv.dev

zitadel

improper lockout mechanism

mfa bypass

github

software

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

9.0%

JSON

ZITADEL’s Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel.

NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)

The additional affected modules and versions are: github.com/zitadel/zitadel before v2.50.0.

References

github.com/zitadel/zitadel/releases/tag/v2.50.0

github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239

nvd.nist.gov/vuln/detail/CVE-2024-32868

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

9.0%

JSON

Related for OSV:GO-2024-2788