x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968

GoVulnBot · 2024-07-03T21:01:26Z

Advisory CVE-2024-39683 references a vulnerability in the following Go modules:

Module
github.com/zitadel/zitadel

Description:
ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available.

References:

Cross references:

Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2022-36051 #961 NOT_IMPORTABLE
Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-6rrr-78xp-5jp8 #1489 NOT_IMPORTABLE
Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-44399 #2107 EFFECTIVELY_PRIVATE
Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-46238 #2155 EFFECTIVELY_PRIVATE
Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7h8m-vrxx-vr4m #2187 EFFECTIVELY_PRIVATE
Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-2wmj-46rj-qm2w #2368 NOT_IMPORTABLE
Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-mq4x-r2w3-j7mr #2637
Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hfrg-4jwr-jfpj #2655
Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-gp8g-f42f-95q2 #2664
Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hr5w-cwwq-2v4m #2665
Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7j7j-66cv-m239 #2788
Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-32967 #2804

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      vulnerable_at: 1.87.5
summary: CVE-2024-39683 in github.com/zitadel/zitadel
cves:
    - CVE-2024-39683
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39683
    - fix: https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04
    - fix: https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da
    - fix: https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73
    - fix: https://github.com/zitadel/zitadel/pull/8231
    - report: https://github.com/zitadel/zitadel/issues/8213
    - web: https://discord.com/channels/927474939156643850/1254096852937347153
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.53.8
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.54.5
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.55.1
    - web: https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397
source:
    id: CVE-2024-39683
    created: 2024-07-03T21:01:26.257589348Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-07-08T17:59:36Z

Change https://go.dev/cl/597158 mentions this issue: data/reports: add 7 unreviewed reports

tatianab added the triaged label Jul 8, 2024

tatianab self-assigned this Jul 8, 2024

gopherbot closed this as completed in f268f3b Jul 9, 2024

This was referenced Jul 31, 2024

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41952 #3014

Closed

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41953 #3015

Closed

This was referenced Jul 31, 2024

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41952,GHSA-567v-6hmg-6qg7 tatianab/scratch#21

Open

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41953,GHSA-v333-7h2p-5fhv tatianab/scratch#22

Open

This was referenced Oct 25, 2024

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49753 #3216

Closed

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49757 #3217

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968

GoVulnBot commented Jul 3, 2024

gopherbot commented Jul 8, 2024

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968

Comments

GoVulnBot commented Jul 3, 2024

gopherbot commented Jul 8, 2024