CVE-2024-29892: ZITADEL's actions can overload reserved claims

March 28, 2024 (updated November 18, 2024)

Under certain circumstances an action could set reserved claims managed by ZITADEL.

For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name

{"urn:zitadel:iam:user:resourceowner:name": "ACME"}

if it was not set by ZITADEL itself.

To compensate for this we introduced a protection that does prevent actions from changing claims that start with urn:zitadel:iam

References

github.com/advisories/GHSA-gp8g-f42f-95q2
github.com/zitadel/zitadel
github.com/zitadel/zitadel/releases/tag/v2.42.17
github.com/zitadel/zitadel/releases/tag/v2.43.11
github.com/zitadel/zitadel/releases/tag/v2.44.7
github.com/zitadel/zitadel/releases/tag/v2.45.5
github.com/zitadel/zitadel/releases/tag/v2.46.5
github.com/zitadel/zitadel/releases/tag/v2.47.8
github.com/zitadel/zitadel/releases/tag/v2.48.3
github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2
nvd.nist.gov/vuln/detail/CVE-2024-29892

Detect and mitigate CVE-2024-29892 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →