Vulnerability-Lookup

CVE-2024-47060 (GCVE-0-2024-47060)

Vulnerability from cvelistv5 – Published: 2024-09-19 23:08 – Updated: 2024-09-20 15:28

Title

Unauthorized Access After Organization or Project Deactivation in Zitadel

Summary

Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

https://github.com/zitadel/zitadel/security/advis…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	zitadel	zitadel	Affected: >= 2.62.0, < 2.62.1 Affected: >= 2.61.0, < 2.61.1 Affected: >= 2.60.0, < 2.60.2 Affected: >= 2.59.0, < 2.59.3 Affected: >= 2.58.0, < 2.58.5 Affected: >= 2.57.0, < 2.57.5 Affected: >= 2.56.0, < 2.56.6 Affected: >= 2.55.0, < 2.55.8 Affected: < 2.54.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47060",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-20T15:27:59.964305Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-20T15:28:08.556Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "zitadel",
          "vendor": "zitadel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.62.0, \u003c 2.62.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.61.0, \u003c 2.61.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.60.0, \u003c 2.60.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.59.0, \u003c 2.59.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.58.0, \u003c 2.58.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.57.0, \u003c 2.57.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.56.0, \u003c 2.56.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.55.0, \u003c 2.55.8"
            },
            {
              "status": "affected",
              "version": "\u003c 2.54.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization\u0027s lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-19T23:08:01.375Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8"
        }
      ],
      "source": {
        "advisory": "GHSA-jj94-6f5c-65r8",
        "discovery": "UNKNOWN"
      },
      "title": "Unauthorized Access After Organization or Project Deactivation in Zitadel"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-47060",
    "datePublished": "2024-09-19T23:08:01.375Z",
    "dateReserved": "2024-09-17T17:42:37.027Z",
    "dateUpdated": "2024-09-20T15:28:08.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47060\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-20T15:27:59.964305Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-20T15:28:05.352Z\"}}], \"cna\": {\"title\": \"Unauthorized Access After Organization or Project Deactivation in Zitadel\", \"source\": {\"advisory\": \"GHSA-jj94-6f5c-65r8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"zitadel\", \"product\": \"zitadel\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.62.0, \u003c 2.62.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.61.0, \u003c 2.61.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.60.0, \u003c 2.60.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.59.0, \u003c 2.59.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.58.0, \u003c 2.58.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.57.0, \u003c 2.57.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.56.0, \u003c 2.56.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.55.0, \u003c 2.55.8\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.54.10\"}]}], \"references\": [{\"url\": \"https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8\", \"name\": \"https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization\u0027s lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-09-19T23:08:01.375Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47060\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-20T15:28:08.556Z\", \"dateReserved\": \"2024-09-17T17:42:37.027Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-09-19T23:08:01.375Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-47060

Vulnerability from fkie_nvd - Published: 2024-09-20 00:15 - Updated: 2024-09-25 16:43

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
zitadel	zitadel	*
zitadel	zitadel	*
zitadel	zitadel	*
zitadel	zitadel	*
zitadel	zitadel	*
zitadel	zitadel	*
zitadel	zitadel	*
zitadel	zitadel	2.61.0
zitadel	zitadel	2.62.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B57963B2-68B5-4E7C-97B7-64304BB64F6C",
              "versionEndExcluding": "2.54.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD559AF6-7A21-405F-A421-B801F37B9B3C",
              "versionEndExcluding": "2.55.8",
              "versionStartIncluding": "2.55.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "04A51D71-DC37-4443-AFD4-5C1DACBD9026",
              "versionEndExcluding": "2.56.6",
              "versionStartIncluding": "2.56.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3A379F08-C3D5-4C5F-8799-AC2E9097A655",
              "versionEndExcluding": "2.57.5",
              "versionStartIncluding": "2.57.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "095B9185-EB6C-4601-95AC-C1F8CE4CF757",
              "versionEndExcluding": "2.58.5",
              "versionStartIncluding": "2.58.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "790DC952-225B-4AAA-873C-EACDE249982B",
              "versionEndExcluding": "2.59.3",
              "versionStartIncluding": "2.59.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "89E084F5-D132-4244-8E7C-4E26E033A636",
              "versionEndExcluding": "2.60.2",
              "versionStartIncluding": "2.60.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:2.61.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "ED36FAD4-DAB7-41FE-8C14-119B24E2CCCC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zitadel:zitadel:2.62.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D15D8180-D356-4933-8390-19B2DCE2D89F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization\u0027s lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore."
    },
    {
      "lang": "es",
      "value": "Zitadel es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. En Zitadel, incluso despu\u00e9s de que se desactiva una organizaci\u00f3n, los proyectos asociados y sus aplicaciones permanecen activos. Los usuarios de otras organizaciones a\u00fan pueden iniciar sesi\u00f3n y acceder a trav\u00e9s de estas aplicaciones, lo que genera acceso no autorizado. Adem\u00e1s, si se desactiva un proyecto, tambi\u00e9n se puede acceder a las aplicaciones. El problema surge del hecho de que cuando se desactiva una organizaci\u00f3n en Zitadel, las aplicaciones asociadas a ella no se desactivan autom\u00e1ticamente. El ciclo de vida de la aplicaci\u00f3n no est\u00e1 estrechamente vinculado con el ciclo de vida de la organizaci\u00f3n, lo que genera una situaci\u00f3n en la que la organizaci\u00f3n o el proyecto se marcan como inactivos, pero sus recursos siguen siendo accesibles. Esta vulnerabilidad permite el acceso no autorizado a los proyectos y sus recursos, que deber\u00edan haber estado restringidos despu\u00e9s de la desactivaci\u00f3n de la organizaci\u00f3n. Se han publicado las versiones 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8 y 2.54.10 que solucionan este problema. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar la versi\u00f3n pueden deshabilitar expl\u00edcitamente la aplicaci\u00f3n para asegurarse de que el cliente ya no est\u00e9 autorizado."
    }
  ],
  "id": "CVE-2024-47060",
  "lastModified": "2024-09-25T16:43:47.267",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-09-20T00:15:03.767",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-JJ94-6F5C-65R8

Vulnerability from github – Published: 2024-09-19 16:08 – Updated: 2024-11-18 16:27

Summary

ZITADEL Allows Unauthorized Access After Organization or Project Deactivation

Details

Summary

In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible.

Details

The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible.

PoC

Create a new Organization, create new project and setup OpenID connect.
Deactivate an Organization
Setup authentication without selecting Check for Project on Authentication
User is able to login despite the organization is deactivated

Impact

This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation.

Patches

2.x versions are fixed on >= 2.62.1 2.61.x versions are fixed on >= 2.61.1 2.60.x versions are fixed on >= 2.60.2 2.59.x versions are fixed on >= 2.59.3 2.58.x versions are fixed on >= 2.58.5 2.57.x versions are fixed on >= 2.57.5 2.56.x versions are fixed on >= 2.56.6 2.55.x versions are fixed on >= 2.55.8 2.54.x versions are fixed on >= 2.54.10

Workaround

Unpatched versions can explicitly disable the application to make sure the client is not allowed anymore.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to @prdp1137 for reporting this!

Severity ?

6.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

7.4 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.62.0"
            },
            {
              "fixed": "2.62.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.61.0"
            },
            {
              "fixed": "2.61.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.60.0"
            },
            {
              "fixed": "2.60.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.59.0"
            },
            {
              "fixed": "2.59.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.58.0"
            },
            {
              "fixed": "2.58.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.57.0"
            },
            {
              "fixed": "2.57.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.56.0"
            },
            {
              "fixed": "2.56.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.55.0"
            },
            {
              "fixed": "2.55.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.54.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47060"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-672"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-19T16:08:38Z",
    "nvd_published_at": "2024-09-20T00:15:03Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nIn Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access.\nAdditionally, if a project was deactivated access to applications was also still possible.\n\n### Details\nThe issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization\u0027s lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible.\n\n### PoC\n- Create a new Organization, create new project and setup OpenID connect.\n- Deactivate an Organization\n- Setup authentication without selecting Check for Project on Authentication\n- User is able to login despite the organization is deactivated\n\n### Impact\nThis vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation.\n\n### Patches\n\n2.x versions are fixed on \u003e= [2.62.1](https://github.com/zitadel/zitadel/releases/tag/v2.62.1)\n2.61.x versions are fixed on \u003e= [2.61.1](https://github.com/zitadel/zitadel/releases/tag/v2.61.1)\n2.60.x versions are fixed on \u003e= [2.60.2](https://github.com/zitadel/zitadel/releases/tag/v2.60.2)\n2.59.x versions are fixed on \u003e= [2.59.3](https://github.com/zitadel/zitadel/releases/tag/v2.59.3)\n2.58.x versions are fixed on \u003e= [2.58.5](https://github.com/zitadel/zitadel/releases/tag/v2.58.5)\n2.57.x versions are fixed on \u003e= [2.57.5](https://github.com/zitadel/zitadel/releases/tag/v2.57.5)\n2.56.x versions are fixed on \u003e= [2.56.6](https://github.com/zitadel/zitadel/releases/tag/v2.56.6)\n2.55.x versions are fixed on \u003e= [2.55.8](https://github.com/zitadel/zitadel/releases/tag/v2.55.8)\n2.54.x versions are fixed on \u003e= [2.54.10](https://github.com/zitadel/zitadel/releases/tag/v2.54.10)\n\n### Workaround\nUnpatched versions can explicitly disable the application to make sure the client is not allowed anymore.\n\n### Questions\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\nThanks to @prdp1137 for reporting this!\n",
  "id": "GHSA-jj94-6f5c-65r8",
  "modified": "2024-11-18T16:27:15Z",
  "published": "2024-09-19T16:08:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47060"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ZITADEL Allows Unauthorized Access After Organization or Project Deactivation"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-47060 (GCVE-0-2024-47060)

FKIE_CVE-2024-47060

GHSA-JJ94-6F5C-65R8

Summary

Details

PoC

Impact

Patches

Workaround

Questions

Credits

Tags

Sightings

Nomenclature