Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-39683

ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available.

Published

2024-07-03T20:15:04.840

Last Modified

2025-01-08T18:24:07.627

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.7 (MEDIUM)

Weaknesses

Type: Secondary
CWE-200
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	zitadel	zitadel	< 2.53.8	Yes
Application	zitadel	zitadel	< 2.54.5	Yes
Application	zitadel	zitadel	2.55.0	Yes
Application	zitadel	zitadel	2.55.0	Yes

References

https://discord.com/channels/927474939156643850/1254096852937347153 Permissions Required, URL Repurposed ([email protected])
https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04 Patch ([email protected])
https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da Patch ([email protected])
https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73 Patch ([email protected])
https://github.com/zitadel/zitadel/issues/8213 Issue Tracking, Release Notes ([email protected])
https://github.com/zitadel/zitadel/pull/8231 Issue Tracking ([email protected])
https://github.com/zitadel/zitadel/releases/tag/v2.53.8 Release Notes ([email protected])
https://github.com/zitadel/zitadel/releases/tag/v2.54.5 Release Notes ([email protected])
https://github.com/zitadel/zitadel/releases/tag/v2.55.1 Release Notes ([email protected])
https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397 Vendor Advisory ([email protected])
https://discord.com/channels/927474939156643850/1254096852937347153 Permissions Required, URL Repurposed (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zitadel/zitadel/issues/8213 Issue Tracking, Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zitadel/zitadel/pull/8231 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zitadel/zitadel/releases/tag/v2.53.8 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zitadel/zitadel/releases/tag/v2.54.5 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zitadel/zitadel/releases/tag/v2.55.1 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)