CVE-2022-36051

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/zitadel/zitadel/releases/tag/v1.87.1	Third Party Advisory
https://github.com/zitadel/zitadel/releases/tag/v2.2.0	Patch Release Notes Third Party Advisory
https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::

History

No history.

Information

Published : 2022-08-31 23:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-36051

Mitre link : CVE-2022-36051

CVE.ORG link : CVE-2022-36051

JSON object : View

Products Affected

zitadel

zitadel

CWE

CWE-863

Incorrect Authorization

CWE-436

Interpretation Conflict

{"id": "CVE-2022-36051", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "published": "2022-08-31T23:15:08.097", "references": [{"url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-436"}]}], "descriptions": [{"lang": "en", "value": "ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update."}, {"lang": "es", "value": "ZITADEL combina la facilidad de Auth0 y la versatilidad de Keycloak.**Acciones**, introducido en ZITADEL versi\u00f3n **1.42.0** en la API y versi\u00f3n **1.56.0** para la Consola, es una caracter\u00edstica, donde los usuarios con rol.\"ORG_OWNER\" son capaces de crear C\u00f3digo Javascript, que es invocado por el sistema en ciertos puntos durante el login. Las **Acciones**, por ejemplo, permiten crear autorizaciones (subvenciones a usuarios) en usuarios reci\u00e9n creados de forma program\u00e1tica. Debido a una falta de comprobaci\u00f3n de autorizaciones, las **Actions** pod\u00edan conceder autorizaciones a proyectos que pertenec\u00edan a otras organizaciones dentro de la misma Instancia. La concesi\u00f3n de autorizaciones por medio de la API y la consola no est\u00e1 afectada por esta vulnerabilidad. Actualmente no se presenta una mitigaci\u00f3n conocida, los usuarios deben actualizar"}], "lastModified": "2022-09-09T15:12:45.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21639E9B-F9C6-4154-A621-5EB699AA2F2F", "versionEndExcluding": "1.87.1", "versionStartIncluding": "1.42.0"}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74BEE341-A883-47DE-A2B1-E62F55AFCC90", "versionEndExcluding": "2.2.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}