Headline
CVE-2023-44399: Release v2.38.0 · zitadel/zitadel
ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called “Ignoring unknown usernames” which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.
2.38.0 (2023-10-09)****Bug Fixes
- add userID to intent responses (#6566) (2823678)
- apple idp configuration (#6575) (e5083b6)
- cnsl: hide new auth button if no routerlink (#6640) (eb31c2a)
- command: allow email as username (#6565) (9266f8f), closes #6460
- console: don’t show empty profile when signed out (#6573) (12f5376)
- console: hide domains settings for unauthorized users (#6602) (689655a)
- console: if Validate Org domains is disabled don’t show domain verification dialog (#6572) (57d8ff1)
- console: move org domains into settings page of the organization (#6612) (d01f4d2)
- Domains problematic (#6564) (7edc73b)
- email: UTF-8 “Q” encode subject header (#6637) (2e99d0f)
- ensure no events are skipped on token check (#6663) (e3ac217)
- inconsistencies and other minor issues in English strings (#6591) (a5decda)
- Increase suffix wrapper to 200px wide (#6590) (ebb8f92)
- login: firefox MFA radio mouse target (#6632) (e9148e9)
- only reuse active session and use correct policies (from user org) (#6603) (593d160)
- reduce origin check to tokens issued through code and implicit flow (#6681) (9696fde)
- set quotas (#6597) (ae1af6b)
- typo in “file too big” error message (#6577) (4bebcd6)
- update saml to v0.1.2 (#6570) (3183ba2)
- use enum for instance feature in system api (#6682) (827ce88)
Features
- add SAML as identity provider (#6454) (15fd304)
- console: more emphasize to preferred login name in user’s table and detail (#6588) (7faab03)
- improve Password.NotChanged message (#6589) (f9bb250)
- login: use default org for login without provided org context (#6625) (68bfab2)
- passwap: base64 standard encoding for pbkdf2 (#6629) (d380627)
Performance Improvements
- project quotas and usages (#6441) (1a49b7d)
Related news
### Impact ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. ### Patches This bug has been patched in versions >2.27.2 beginning with [2.37.3](https://github.com/zitadel/zitadel/releases/tag/v2.37.3) and [2.38.0](https://github.com/zitadel/zitadel/releases/tag/v2.38.0) ### Workarounds None available we advise to updated if this is needed. ### References None