GMS-2022-3751: Broken Authorization in ZITADEL Actions

August 30, 2022

Actions introduced in ZITADEL 1.42.0 on the API and 1.56.0 for Console, is a feature, where users with role ORG_OWNER are able to create Javascript Code, which is invoked by the system at certain points during the login.

References

github.com/advisories/GHSA-c8fj-4pm8-mp2c
github.com/zitadel/zitadel/pull/4237
github.com/zitadel/zitadel/pull/4238
github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c

Code Behaviors & Features

Detect and mitigate GMS-2022-3751 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →