Home > Vulnerability Database > CVE-2023-44399

Mend.io Vulnerability Database

CVE-2023-44399

Good to know:

Date: October 10, 2023

ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.

Language: Go

Severity Score

5.3

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-44399

Url: https://github.com/zitadel/zitadel/releases/tag/v2.38.0

Url: https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff

Url: https://github.com/zitadel/zitadel/releases/tag/v2.37.3

Url: https://www.mend.io/vulnerability-database/CVE-2023-44399

Severity Score

5.3

Weakness Type (CWE)

Weak Password Recovery Mechanism for Forgotten Password

CWE-640

Top Fix

Upgrade Version

Upgrade to version v2.37.3,v2.38.0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-44399

Good to know:

Date: October 10, 2023

Language: Go

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?