CVE-2023-49097 - OpenCVE

ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zitadel	Zitadel

Configuration 1 [-]

OR	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::

No data.

References

Link	Providers
https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-30T04:45:49.675Z

Updated: 2024-08-02T21:46:28.898Z

Reserved: 2023-11-21T18:57:30.430Z

Link: CVE-2023-49097

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-11-30T05:15:09.503

Modified: 2023-12-08T15:18:19.507

Link: CVE-2023-49097

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49097", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-21T18:57:30.430Z", "datePublished": "2023-11-30T04:45:49.675Z", "dateUpdated": "2024-08-02T21:46:28.898Z"}, "containers": {"cna": {"title": "ZITADEL vulnerable account takeover via malicious host header injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-640", "lang": "en", "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"version": ">= 2.39.0, < 2.39.9", "status": "affected"}, {"version": ">= 2.40.0, < 2.40.10", "status": "affected"}, {"version": ">= 2.41.0, < 2.41.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-30T04:45:49.675Z"}, "descriptions": [{"lang": "en", "value": "ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.\n"}], "source": {"advisory": "GHSA-2wmj-46rj-qm2w", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:28.898Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B217DCB5-07BA-4BA3-97A2-91397DAA878D", "versionEndExcluding": "2.39.9", "versionStartIncluding": "2.39.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "75A6467A-C432-4810-A2D9-FBED9090ED67", "versionEndExcluding": "2.40.10", "versionStartIncluding": "2.40.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A14C74C2-0A2A-4F71-86D6-7CFE7911D6EB", "versionEndExcluding": "2.41.6", "versionStartIncluding": "2.41.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.\n"}, {"lang": "es", "value": "ZITADEL es un sistema de infraestructura de identidad. ZITADEL utiliza el encabezado de solicitudes de activaci\u00f3n de notificaciones Forwarded o X-Forwarded-Host para crear el enlace del bot\u00f3n enviado en los correos electr\u00f3nicos para confirmar un restablecimiento de contrase\u00f1a con el c\u00f3digo enviado por correo electr\u00f3nico. Si este encabezado se sobrescribe y un usuario hace clic en el enlace a un sitio malicioso en el correo electr\u00f3nico, el c\u00f3digo secreto se puede recuperar y utilizar para restablecer la contrase\u00f1a del usuario y hacerse cargo de su cuenta. Este ataque no puede apoderarse de las cuentas con MFA o sin contrase\u00f1a habilitadas. Este problema se solucion\u00f3 en las versiones 2.41.6, 2.40.10 y 2.39.9."}], "id": "CVE-2023-49097", "lastModified": "2023-12-08T15:18:19.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-30T05:15:09.503", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-640"}], "source": "security-advisories@github.com", "type": "Primary"}]}