CVE-2024-29892: ZITADEL's actions can overload reserved claims
(updated )
Under certain circumstances an action could set reserved claims managed by ZITADEL.
For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name
{"urn:zitadel:iam:user:resourceowner:name": "ACME"}
if it was not set by ZITADEL itself.
To compensate for this we introduced a protection that does prevent actions from changing claims that start with urn:zitadel:iam
References
- github.com/advisories/GHSA-gp8g-f42f-95q2
- github.com/zitadel/zitadel
- github.com/zitadel/zitadel/releases/tag/v2.42.17
- github.com/zitadel/zitadel/releases/tag/v2.43.11
- github.com/zitadel/zitadel/releases/tag/v2.44.7
- github.com/zitadel/zitadel/releases/tag/v2.45.5
- github.com/zitadel/zitadel/releases/tag/v2.46.5
- github.com/zitadel/zitadel/releases/tag/v2.47.8
- github.com/zitadel/zitadel/releases/tag/v2.48.3
- github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2
- nvd.nist.gov/vuln/detail/CVE-2024-29892
Code Behaviors & Features
Detect and mitigate CVE-2024-29892 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →