CVE-2022-36051
August 31, 2022
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.Actions, introduced in ZITADEL 1.42.0 on the API and 1.56.0 for Console, is a feature, where users with role."ORG_OWNER" are able to create Javascript Code, which is invoked by the system at certain points during the login. Actions, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, Actions were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update.
Affected Packages
github.com/zitadel/zitadel (GO):
Affected version(s) >=v2.0.0 <v2.2.0Fix Suggestion:
Update to version v2.2.0github.com/zitadel/zitadel (GO):
Affected version(s) >=v1.42.0 <v1.87.1Fix Suggestion:
Update to version v1.87.1Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (9)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
EPSS
Base Score:
0.29
