CVE-2023-44399

MEDIUM

Zitadel < 2.37.2 - Password Reset Weakness

Title source: rule

Description

ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.

References (3)

[Release Notes] https://github.com/zitadel/zitadel/releases/tag/v2.37.3

[Release Notes] https://github.com/zitadel/zitadel/releases/tag/v2.38.0

[Vendor Advisory] https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff

Scores

CVSS v3 5.3

EPSS 0.0035

EPSS Percentile 57.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-640

Status published

Affected Products (2)

zitadel/zitadel < 2.37.2

zitadel/zitadel < 2.37.3Go

Timeline

Published Oct 10, 2023

Tracked Since Feb 18, 2026