Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-gp8g-f42f-95q2: ZITADEL's actions can overload reserved claims

Impact

Under certain circumstances an action could set reserved claims managed by ZITADEL.

For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name

{"urn:zitadel:iam:user:resourceowner:name": "ACME"}

if it was not set by ZITADEL itself.

To compensate for this we introduced a protection that does prevent actions from changing claims that start with urn:zitadel:iam

Patches

2.x versions are fixed on >= 2.48.3 2.47.x versions are fixed on >= 2.47.8 2.46.x versions are fixed on >= 2.46.5 2.45.x versions are fixed on >= 2.45.5 2.44.x versions are fixed on >= 2.44.7 2.43.x versions are fixed on >= 2.43.11 2.42.x versions are fixed on >= 2.42.17

Workarounds

No workaround available since a patch is available

Credits

Many thanks to @schettn whose disclosure of another topic lead us to find this issue.

ghsa
#vulnerability#js#git#oauth#auth

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-29892

ZITADEL’s actions can overload reserved claims

Moderate severity GitHub Reviewed Published Mar 27, 2024 in zitadel/zitadel • Updated Mar 28, 2024

Package

gomod github.com/zitadel/zitadel (Go)

Affected versions

< 2.42.17

>= 2.43.0, < 2.43.11

>= 2.44.0, < 2.44.7

>= 2.45.0, < 2.45.5

>= 2.46.0, < 2.46.5

>= 2.47.0, < 2.47.8

>= 2.48.0, < 2.48.3

Patched versions

2.42.17

2.43.11

2.44.7

2.45.5

2.46.5

2.47.8

2.48.3

Description

Published to the GitHub Advisory Database

Mar 28, 2024

Last updated

Mar 28, 2024

ghsa: Latest News

GHSA-x52f-h5g4-8qv5: Marp Core allows XSS by improper neutralization of HTML sanitization