CVE-2022-36051 - OpenCVE

Vendors	Products
Zitadel	Zitadel

Link	Providers
https://github.com/zitadel/zitadel/releases/tag/v1.87.1
https://github.com/zitadel/zitadel/releases/tag/v2.2.0
https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c

{"containers": {"cna": {"affected": [{"product": "zitadel", "vendor": "zitadel", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.2.0"}, {"status": "affected", "version": ">= 1.42.0, < 1.87.1"}]}], "descriptions": [{"lang": "en", "value": "ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-31T22:40:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0"}], "source": {"advisory": "GHSA-c8fj-4pm8-mp2c", "discovery": "UNKNOWN"}, "title": "Broken Authorization in ZITADEL Actions", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36051", "STATE": "PUBLIC", "TITLE": "Broken Authorization in ZITADEL Actions"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "zitadel", "version": {"version_data": [{"version_value": ">= 2.0.0, < 2.2.0"}, {"version_value": ">= 1.42.0, < 1.87.1"}]}}]}, "vendor_name": "zitadel"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-436: Interpretation Conflict"}]}]}, "references": {"reference_data": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c", "refsource": "CONFIRM", "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"}, {"name": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1", "refsource": "MISC", "url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1"}, {"name": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0", "refsource": "MISC", "url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0"}]}, "source": {"advisory": "GHSA-c8fj-4pm8-mp2c", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:51:59.984Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36051", "datePublished": "2022-08-31T22:40:10", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:51:59.984Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "21639E9B-F9C6-4154-A621-5EB699AA2F2F", "versionEndExcluding": "1.87.1", "versionStartIncluding": "1.42.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "74BEE341-A883-47DE-A2B1-E62F55AFCC90", "versionEndExcluding": "2.2.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update."}, {"lang": "es", "value": "ZITADEL combina la facilidad de Auth0 y la versatilidad de Keycloak.**Acciones**, introducido en ZITADEL versi\u00f3n **1.42.0** en la API y versi\u00f3n **1.56.0** para la Consola, es una caracter\u00edstica, donde los usuarios con rol.\"ORG_OWNER\" son capaces de crear C\u00f3digo Javascript, que es invocado por el sistema en ciertos puntos durante el login. Las **Acciones**, por ejemplo, permiten crear autorizaciones (subvenciones a usuarios) en usuarios reci\u00e9n creados de forma program\u00e1tica. Debido a una falta de comprobaci\u00f3n de autorizaciones, las **Actions** pod\u00edan conceder autorizaciones a proyectos que pertenec\u00edan a otras organizaciones dentro de la misma Instancia. La concesi\u00f3n de autorizaciones por medio de la API y la consola no est\u00e1 afectada por esta vulnerabilidad. Actualmente no se presenta una mitigaci\u00f3n conocida, los usuarios deben actualizar"}], "id": "CVE-2022-36051", "lastModified": "2022-09-09T15:12:45.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-08-31T23:15:08.097", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/zitadel/zitadel/releases/tag/v1.87.1"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/zitadel/zitadel/releases/tag/v2.2.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-436"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object