GitHub_MCVELIST:CVE-2024-39683CVE-2024-39683 ZITADEL Vulnerable to Session Information Leakage
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
13.2%
ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user’s sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available.
CNA Affected
[
{
"vendor": "zitadel",
"product": "zitadel",
"versions": [
{
"version": "= 2.55.0",
"status": "affected"
},
{
"version": ">= 2.54.0, < 2.54.5",
"status": "affected"
},
{
"version": ">= 2.53.0, < 2.53.8",
"status": "affected"
}
]
}
]References
discord.com/channels/927474939156643850/1254096852937347153
github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04
github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da
github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73
github.com/zitadel/zitadel/issues/8213
github.com/zitadel/zitadel/pull/8231
github.com/zitadel/zitadel/releases/tag/v2.53.8
github.com/zitadel/zitadel/releases/tag/v2.54.5
github.com/zitadel/zitadel/releases/tag/v2.55.1
github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
13.2%