Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-46999 #3150

Closed
GoVulnBot opened this issue Sep 20, 2024 · 2 comments

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-46999 references a vulnerability in the following Go modules:

Module
github.com/zitadel/zitadel

Description:
Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management and auth API always returned the state as active or did not provide any information about the state. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly remove the user grant...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      vulnerable_at: 1.87.5
summary: CVE-2024-46999 in github.com/zitadel/zitadel
cves:
    - CVE-2024-46999
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-46999
    - web: https://github.com/zitadel/zitadel/security/advisories/GHSA-2w5j-qfvw-2hf5
source:
    id: CVE-2024-46999
    created: 2024-09-20T01:01:24.671910868Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/616059 mentions this issue: data/reports: add 13 unreviewed reports

@tatianab
Copy link
Contributor

Duplicate of #3137

@tatianab tatianab marked this as a duplicate of #3137 Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants