Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-44399: Release v2.38.0 · zitadel/zitadel

ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called “Ignoring unknown usernames” which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.

CVE
#apple#perl#auth#firefox

2.38.0 (2023-10-09)****Bug Fixes

  • add userID to intent responses (#6566) (2823678)
  • apple idp configuration (#6575) (e5083b6)
  • cnsl: hide new auth button if no routerlink (#6640) (eb31c2a)
  • command: allow email as username (#6565) (9266f8f), closes #6460
  • console: don’t show empty profile when signed out (#6573) (12f5376)
  • console: hide domains settings for unauthorized users (#6602) (689655a)
  • console: if Validate Org domains is disabled don’t show domain verification dialog (#6572) (57d8ff1)
  • console: move org domains into settings page of the organization (#6612) (d01f4d2)
  • Domains problematic (#6564) (7edc73b)
  • email: UTF-8 “Q” encode subject header (#6637) (2e99d0f)
  • ensure no events are skipped on token check (#6663) (e3ac217)
  • inconsistencies and other minor issues in English strings (#6591) (a5decda)
  • Increase suffix wrapper to 200px wide (#6590) (ebb8f92)
  • login: firefox MFA radio mouse target (#6632) (e9148e9)
  • only reuse active session and use correct policies (from user org) (#6603) (593d160)
  • reduce origin check to tokens issued through code and implicit flow (#6681) (9696fde)
  • set quotas (#6597) (ae1af6b)
  • typo in “file too big” error message (#6577) (4bebcd6)
  • update saml to v0.1.2 (#6570) (3183ba2)
  • use enum for instance feature in system api (#6682) (827ce88)

Features

  • add SAML as identity provider (#6454) (15fd304)
  • console: more emphasize to preferred login name in user’s table and detail (#6588) (7faab03)
  • improve Password.NotChanged message (#6589) (f9bb250)
  • login: use default org for login without provided org context (#6625) (68bfab2)
  • passwap: base64 standard encoding for pbkdf2 (#6629) (d380627)

Performance Improvements

  • project quotas and usages (#6441) (1a49b7d)

Related news

GHSA-v683-rcxx-vpff: ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting

### Impact ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. ### Patches This bug has been patched in versions >2.27.2 beginning with [2.37.3](https://github.com/zitadel/zitadel/releases/tag/v2.37.3) and [2.38.0](https://github.com/zitadel/zitadel/releases/tag/v2.38.0) ### Workarounds None available we advise to updated if this is needed. ### References None

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907