GHSA-gp8g-f42f-95q2

Impact

Under certain circumstances an action could set reserved claims managed by ZITADEL.

For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name

{"urn:zitadel:iam:user:resourceowner:name": "ACME"}

if it was not set by ZITADEL itself.

To compensate for this we introduced a protection that does prevent actions from changing claims that start with urn:zitadel:iam

Patches

2.x versions are fixed on >= 2.48.3 2.47.x versions are fixed on >= 2.47.8 2.46.x versions are fixed on >= 2.46.5 2.45.x versions are fixed on >= 2.45.5 2.44.x versions are fixed on >= 2.44.7 2.43.x versions are fixed on >= 2.43.11 2.42.x versions are fixed on >= 2.42.17

Workarounds

No workaround available since a patch is available

Credits

Many thanks to @schettn whose disclosure of another topic lead us to find this issue.