GHSA-567v-6hmg-6qg7

Source

https://github.com/advisories/GHSA-567v-6hmg-6qg7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-567v-6hmg-6qg7/GHSA-567v-6hmg-6qg7.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-567v-6hmg-6qg7

Aliases

Published

2024-07-31T21:02:52Z

Modified

2024-08-07T15:19:08Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

ZITADEL "ignoring unknown usernames" vulnerability

Details

Impact

ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an account exist within ZITADEL, since the error message shows "object not found" instead of the generic error message.

Patches

2.x versions are fixed on >= 2.58.1 2.57.x versions are fixed on >= 2.57.1 2.56.x versions are fixed on >= 2.56.2 2.55.x versions are fixed on >= 2.55.5 2.54.x versions are fixed on >= 2.54.8 2.53.x versions are fixed on >= 2.53.9

ZITADEL recommends upgrading to the latest versions available in due course.

Workarounds

There is no workaround since a patch is already available.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Database specific

{
    "nvd_published_at": "2024-07-31T17:15:10Z",
    "cwe_ids": [
        "CWE-203"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-31T21:02:52Z"
}

References

Affected packages

Go / github.com/zitadel/zitadel

Package

Name: github.com/zitadel/zitadel; View open source insights on deps.dev
Purl: pkg:golang/github.com/zitadel/zitadel

Affected ranges

Type: SEMVER
Events: Introduced

2.53.0

Fixed

2.53.9

Database specific

{
    "last_known_affected_version_range": "<= 2.53.8"
}

Go / github.com/zitadel/zitadel

Package

Name: github.com/zitadel/zitadel; View open source insights on deps.dev
Purl: pkg:golang/github.com/zitadel/zitadel

Affected ranges

Type: SEMVER
Events: Introduced

2.54.0

Fixed

2.54.8

Database specific

{
    "last_known_affected_version_range": "<= 2.54.7"
}

Go / github.com/zitadel/zitadel

Package

Name: github.com/zitadel/zitadel; View open source insights on deps.dev
Purl: pkg:golang/github.com/zitadel/zitadel

Affected ranges

Type: SEMVER
Events: Introduced

2.55.0

Fixed

2.55.5

Database specific

{
    "last_known_affected_version_range": "<= 2.55.4"
}

Go / github.com/zitadel/zitadel

Package

Name: github.com/zitadel/zitadel; View open source insights on deps.dev
Purl: pkg:golang/github.com/zitadel/zitadel

Affected ranges

Type: SEMVER
Events: Introduced

2.56.0

Fixed

2.56.2

Database specific

{
    "last_known_affected_version_range": "<= 2.56.1"
}

GHSA-567v-6hmg-6qg7

Impact

Patches

Workarounds

Questions

Affected packages

Go / github.com/zitadel/zitadel

Package

Affected ranges

Database specific

Go / github.com/zitadel/zitadel

Package

Affected ranges

Database specific

Go / github.com/zitadel/zitadel

Package

Affected ranges

Database specific

Go / github.com/zitadel/zitadel

Package

Affected ranges

Database specific

Go / github.com/zitadel/zitadel

Package

Affected ranges

Affected versions

2.*

Go / github.com/zitadel/zitadel

Package

Affected ranges

Affected versions

2.*