GHSA-gp8g-f42f-95q2

Source
https://github.com/advisories/GHSA-gp8g-f42f-95q2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-gp8g-f42f-95q2/GHSA-gp8g-f42f-95q2.json
Aliases
  • CVE-2024-29892
Published
2024-03-28T17:07:32Z
Modified
2024-03-28T17:41:45.071057Z
Details

Impact

Under certain circumstances an action could set reserved claims managed by ZITADEL.

For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name

{"urn:zitadel:iam:user:resourceowner:name": "ACME"}

if it was not set by ZITADEL itself.

To compensate for this we introduced a protection that does prevent actions from changing claims that start with urn:zitadel:iam

Patches

2.x versions are fixed on >= 2.48.3 2.47.x versions are fixed on >= 2.47.8 2.46.x versions are fixed on >= 2.46.5 2.45.x versions are fixed on >= 2.45.5 2.44.x versions are fixed on >= 2.44.7 2.43.x versions are fixed on >= 2.43.11 2.42.x versions are fixed on >= 2.42.17

Workarounds

No workaround available since a patch is available

Credits

Many thanks to @schettn whose disclosure of another topic lead us to find this issue.

References

Affected packages

Go / github.com/zitadel/zitadel

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
2.42.17

Go / github.com/zitadel/zitadel

Affected ranges

Type
SEMVER
Events
Introduced
2.43.0
Fixed
2.43.11

Go / github.com/zitadel/zitadel

Affected ranges

Type
SEMVER
Events
Introduced
2.44.0
Fixed
2.44.7

Go / github.com/zitadel/zitadel

Affected ranges

Type
SEMVER
Events
Introduced
2.45.0
Fixed
2.45.5

Go / github.com/zitadel/zitadel

Affected ranges

Type
SEMVER
Events
Introduced
2.46.0
Fixed
2.46.5

Go / github.com/zitadel/zitadel

Affected ranges

Type
SEMVER
Events
Introduced
2.47.0
Fixed
2.47.8

Go / github.com/zitadel/zitadel

Affected ranges

Type
SEMVER
Events
Introduced
2.48.0
Fixed
2.48.3