CVE-2024-47000

HIGH

Zitadel < 2.54.10 and 2.62.0-2.62.1 - Improper Privilege Management in Service Account Deactivation

Title source: llm

Description

Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account's password.

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_confirm

https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393

Scores

CVSS v3 8.1

EPSS 0.0040

EPSS Percentile 32.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-269

Status published

Products (4)

zitadel/zitadel 2.61.0

zitadel/zitadel 2.62.0

zitadel/zitadel < 2.54.10

zitadel/zitadel 2.62.0 - 2.62.1Go

Published Sep 20, 2024

Tracked Since Feb 18, 2026