Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account's password.
References
Link | Resource |
---|---|
https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393 | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
24 Sep 2024, 20:25
Type | Values Removed | Values Added |
---|---|---|
First Time |
Zitadel zitadel
Zitadel |
|
CWE | NVD-CWE-noinfo | |
CPE | cpe:2.3:a:zitadel:zitadel:2.62.0:*:*:*:*:*:*:* cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:* cpe:2.3:a:zitadel:zitadel:2.61.0:*:*:*:*:*:*:* |
|
References | () https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393 - Patch, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
20 Sep 2024, 12:30
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
20 Sep 2024, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-20 00:15
Updated : 2024-09-24 20:25
NVD link : CVE-2024-47000
Mitre link : CVE-2024-47000
CVE.ORG link : CVE-2024-47000
JSON object : View
Products Affected
zitadel
- zitadel
CWE