Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore.
History

Wed, 25 Sep 2024 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
Weaknesses CWE-863
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
cpe:2.3:a:zitadel:zitadel:2.61.0:*:*:*:*:*:*:*
cpe:2.3:a:zitadel:zitadel:2.62.0:*:*:*:*:*:*:*
Vendors & Products Zitadel
Zitadel zitadel

Fri, 20 Sep 2024 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 19 Sep 2024 23:30:00 +0000

Type Values Removed Values Added
Description Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore.
Title Unauthorized Access After Organization or Project Deactivation in Zitadel
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-19T23:08:01.375Z

Updated: 2024-09-20T15:28:08.556Z

Reserved: 2024-09-17T17:42:37.027Z

Link: CVE-2024-47060

cve-icon Vulnrichment

Updated: 2024-09-20T15:28:05.352Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-20T00:15:03.767

Modified: 2024-09-25T16:43:47.267

Link: CVE-2024-47060

cve-icon Redhat

No data.