GHSA-7j7j-66cv-m239

Source

https://github.com/advisories/GHSA-7j7j-66cv-m239

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-7j7j-66cv-m239/GHSA-7j7j-66cv-m239.json

Aliases

• CVE-2024-32868

Published

2024-04-25T18:31:31Z

Modified

2024-04-26T14:41:46Z

Details

Impact

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email.

While ZITADEL already gives administrators the option to define a Lockout Policy with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks.

Patches

2.x versions are fixed on >= 2.50.0

Workarounds

There is no workaround since a patch is already available.

References

None

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Jack Moran and Ethan from zxsecurity and Amit Laish from GE Vernova for finding and reporting the vulnerability.

References

• https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239
• https://nvd.nist.gov/vuln/detail/CVE-2024-32868
• https://github.com/zitadel/zitadel
• https://github.com/zitadel/zitadel/releases/tag/v2.50.0