Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-v683-rcxx-vpff: ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting

Impact

ZITADEL administrators can enable a setting called “Ignoring unknown usernames” which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL.

Patches

This bug has been patched in versions >2.27.2 beginning with 2.37.3 and 2.38.0

Workarounds

None available we advise to updated if this is needed.

References

None

ghsa
Open in Source
#git#perl#auth

Package

gomod github.com/zitadel/zitadel (Go)

Affected versions

< 2.37.3

Patched versions

2.37.3

Description

Impact

ZITADEL administrators can enable a setting called “Ignoring unknown usernames” which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL.

Patches

This bug has been patched in versions >2.27.2 beginning with 2.37.3 and 2.38.0

Workarounds

None available we advise to updated if this is needed.

References

None

References

  • GHSA-v683-rcxx-vpff
  • https://nvd.nist.gov/vuln/detail/CVE-2023-44399
  • https://github.com/zitadel/zitadel/releases/tag/v2.37.3
  • https://github.com/zitadel/zitadel/releases/tag/v2.38.0

fforootd published to zitadel/zitadel

Oct 10, 2023

Published to the GitHub Advisory Database

Oct 10, 2023

Reviewed

Oct 10, 2023

Last updated

Oct 10, 2023

Related news

CVE-2023-44399: Release v2.38.0 · zitadel/zitadel

ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.

ghsa: Latest News

GHSA-gcx4-mw62-g8wm: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
ghsa