CVE-2024-39683: ZITADEL Vulnerable to Session Information Leakage
ZITADEL provides users the ability to list all user sessions of the current user agent (browser) by API and in the Console UI.
Due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user’s sessions.
Note that the Login UI was never affected and there was no possibility to take over such a session.
References
- discord.com/channels/927474939156643850/1254096852937347153
- github.com/advisories/GHSA-cvw9-c57h-3397
- github.com/zitadel/zitadel
- github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04
- github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da
- github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73
- github.com/zitadel/zitadel/issues/8213
- github.com/zitadel/zitadel/pull/8231
- github.com/zitadel/zitadel/releases/tag/v2.53.8
- github.com/zitadel/zitadel/releases/tag/v2.54.5
- github.com/zitadel/zitadel/releases/tag/v2.55.1
- github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397
- nvd.nist.gov/vuln/detail/CVE-2024-39683
Code Behaviors & Features
Detect and mitigate CVE-2024-39683 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →