{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-22492", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-12-29T17:41:28.089Z", "datePublished": "2023-01-11T19:42:50.505Z", "dateUpdated": "2025-03-10T21:30:41.038Z"}, "containers": {"cna": {"title": "RefreshToken invalidation vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8"}, {"name": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83", "tags": ["x_refsource_MISC"], "url": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83"}, {"name": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2", "tags": ["x_refsource_MISC"], "url": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2"}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"version": ">= 2.17.0, < 2.17.3", "status": "affected"}, {"version": ">= 2.0.0, < 2.16.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-11T19:42:50.505Z"}, "descriptions": [{"lang": "en", "value": "ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user\u2019s session was already terminated (\u201clogged out\u201d) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4. "}], "source": {"advisory": "GHSA-6rrr-78xp-5jp8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:13:48.665Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8"}, {"name": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83"}, {"name": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-10T21:00:16.231923Z", "id": "CVE-2023-22492", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T21:30:41.038Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8", "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83", "name": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2", "name": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:13:48.665Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-22492", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-10T21:00:16.231923Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T21:00:17.676Z"}}], "cna": {"title": "RefreshToken invalidation vulnerability", "source": {"advisory": "GHSA-6rrr-78xp-5jp8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"status": "affected", "version": ">= 2.17.0, < 2.17.3"}, {"status": "affected", "version": ">= 2.0.0, < 2.16.4"}]}], "references": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8", "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83", "name": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2", "name": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user\u2019s session was already terminated (\u201clogged out\u201d) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4. "}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-11T19:42:50.505Z"}}}, "cveMetadata": {"cveId": "CVE-2023-22492", "state": "PUBLISHED", "dateUpdated": "2025-03-10T21:30:41.038Z", "dateReserved": "2022-12-29T17:41:28.089Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-01-11T19:42:50.505Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0656FCDD-D804-476F-B8F8-4BB6845B622A", "versionEndExcluding": "2.16.4", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52C4BACF-5AB3-4DBF-865D-E0FC740C379C", "versionEndExcluding": "2.17.3", "versionStartIncluding": "2.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user\u2019s session was already terminated (\u201clogged out\u201d) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4. "}, {"lang": "es", "value": "ZITADEL es una combinaci\u00f3n de Auth0 y Keycloak. RefreshTokens es una caracter\u00edstica de OAuth 2.0 que permite a las aplicaciones recuperar nuevos tokens de acceso y actualizar la sesi\u00f3n del usuario sin la necesidad de interactuar con una interfaz de usuario. Los RefreshTokens no se invalidaban cuando un usuario era bloqueado o desactivado. El usuario desactivado o bloqueado pudo obtener un token de acceso v\u00e1lido solo mediante una concesi\u00f3n de token de actualizaci\u00f3n. Cuando la sesi\u00f3n del usuario bloqueado o desactivado ya hab\u00eda finalizado (\u201clogged out\u201d) no era posible crear una nueva sesi\u00f3n. La renovaci\u00f3n del token de acceso mediante una concesi\u00f3n de token de actualizaci\u00f3n est\u00e1 limitada a la cantidad de tiempo configurada (RefreshTokenExpiration). Como workaround, aseg\u00farese de que RefreshTokenExpiration en la configuraci\u00f3n OIDC de su instancia est\u00e9 configurado de acuerdo con sus requisitos de seguridad. Este problema se solucion\u00f3 en las versiones 2.17.3 y 2.16.4."}], "id": "CVE-2023-22492", "lastModified": "2024-11-21T07:44:55.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-11T20:15:08.970", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}