CVE-2024-46999: ZITADEL's User Grant Deactivation not Working

September 19, 2024 (updated September 20, 2024)

ZITADEL’s user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state.

References

Code Behaviors & Features

Detect and mitigate CVE-2024-46999 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 2.54.10, all versions starting from 2.55.0 before 2.55.8, all versions starting from 2.56.0 before 2.56.6, all versions starting from 2.57.0 before 2.57.5, all versions starting from 2.58.0 before 2.58.5, all versions starting from 2.59.0 before 2.59.3, all versions starting from 2.60.0 before 2.60.2, all versions starting from 2.61.0 before 2.61.1, all versions starting from 2.62.0 before 2.62.1