CVE-2023-44399

MEDIUM

Zitadel < 2.37.2 - Password Reset Weakness

Title source: rule

Description

ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.

References (3)

[Vendor Advisory] https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff

[Release Notes] https://github.com/zitadel/zitadel/releases/tag/v2.37.3

[Release Notes] https://github.com/zitadel/zitadel/releases/tag/v2.38.0

Scores

CVSS v3 5.3

EPSS 0.0035

EPSS Percentile 57.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-640

Status published

Products (2)

zitadel/zitadel < 2.37.2

zitadel/zitadel 0 - 2.37.3Go

Published Oct 10, 2023

Tracked Since Feb 18, 2026