Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-36051

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update.

Published

2022-08-31T23:15:08.097

Last Modified

2024-11-21T07:12:16.227

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.7 (HIGH)

Weaknesses

Type: Secondary
CWE-436
Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	zitadel	zitadel	< 1.87.1	Yes
Application	zitadel	zitadel	< 2.2.0	Yes

References

https://github.com/zitadel/zitadel/releases/tag/v1.87.1 Third Party Advisory ([email protected])
https://github.com/zitadel/zitadel/releases/tag/v2.2.0 Patch, Release Notes, Third Party Advisory ([email protected])
https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c Third Party Advisory ([email protected])
https://github.com/zitadel/zitadel/releases/tag/v1.87.1 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zitadel/zitadel/releases/tag/v2.2.0 Patch, Release Notes, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)