{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28197", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-06T17:35:00.860Z", "datePublished": "2024-03-11T19:48:11.008Z", "dateUpdated": "2024-08-26T18:14:26.566Z"}, "containers": {"cna": {"title": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA]", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"version": "< 2.44.3", "status": "affected"}, {"version": ">= 2.45.0, < 2.45.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-11T19:48:11.008Z"}, "descriptions": [{"lang": "en", "value": "Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim\u2019s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`."}], "source": {"advisory": "GHSA-mq4x-r2w3-j7mr", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "zitadel", "product": "zitadel", "cpes": ["cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.44.3", "versionType": "custom"}, {"version": "2.45.0", "status": "affected", "lessThan": "2.45.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-26T18:13:08.740406Z", "id": "CVE-2024-28197", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T18:14:26.566Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.535Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr", "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.535Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28197", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-26T18:13:08.740406Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"], "vendor": "zitadel", "product": "zitadel", "versions": [{"status": "affected", "version": "0", "lessThan": "2.44.3", "versionType": "custom"}, {"status": "affected", "version": "2.45.0", "lessThan": "2.45.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:16.931Z"}}], "cna": {"title": "Account Takeover via Session Fixation in Zitadel [Bypassing MFA]", "source": {"advisory": "GHSA-mq4x-r2w3-j7mr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"status": "affected", "version": "< 2.44.3"}, {"status": "affected", "version": ">= 2.45.0, < 2.45.1"}]}], "references": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr", "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim\u2019s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-11T19:48:11.008Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28197", "state": "PUBLISHED", "dateUpdated": "2024-08-26T18:14:26.566Z", "dateReserved": "2024-03-06T17:35:00.860Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-11T19:48:11.008Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A896302F-4289-419A-882F-8E4207B611A2", "versionEndExcluding": "2.44.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:2.45.0:-:*:*:*:*:*:*", "matchCriteriaId": "CDF0C992-982C-4963-BFE4-1592B681D69E", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:2.45.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "BDA3827B-80DF-4A2A-A103-97FE37352090", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:2.46.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CCEA9592-45E4-4C4A-906F-62732495B2D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:2.46.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "D5C0396B-7FFB-4700-BBFF-AC7D2748B00A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim\u2019s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`."}, {"lang": "es", "value": "Zitadel es un sistema de gesti\u00f3n de identidades de c\u00f3digo abierto. Zitadel utiliza una cookie para identificar el agente de usuario (navegador) y sus sesiones de usuario. Aunque la cookie se manej\u00f3 de acuerdo con las mejores pr\u00e1cticas, era accesible en los subdominios de la instancia ZITADEL. Un atacante podr\u00eda aprovechar esto y proporcionar un enlace malicioso alojado en el subdominio al usuario para obtener acceso a la cuenta de la v\u00edctima en ciertos escenarios. Una posible v\u00edctima tendr\u00eda que iniciar sesi\u00f3n a trav\u00e9s del enlace malicioso para que este exploit funcione. Si la posible v\u00edctima ya tuviera presente la cookie, el ataque no tendr\u00eda \u00e9xito. Adem\u00e1s, el ataque solo ser\u00eda posible si hubiera una vulnerabilidad inicial en el subdominio. Esto podr\u00eda ser que el atacante pueda controlar DNS o una vulnerabilidad XSS en una aplicaci\u00f3n alojada en un subdominio. Se han parcheado las versiones 2.46.0, 2.45.1 y 2.44.3. Zitadel recomienda actualizar a las \u00faltimas versiones disponibles oportunamente. Tenga en cuenta que la aplicaci\u00f3n del parche invalidar\u00e1 la cookie actual y, por lo tanto, los usuarios deber\u00e1n iniciar una nueva sesi\u00f3n y las sesiones existentes (selecci\u00f3n de usuario) estar\u00e1n vac\u00edas. Para entornos autohospedados que no pueden actualizar a una versi\u00f3n parcheada, evite configurar el siguiente nombre de cookie en los subdominios de su instancia de Zitadel (por ejemplo, dentro de su WAF): `__Secure-zitadel-useragent`."}], "id": "CVE-2024-28197", "lastModified": "2025-01-07T15:54:40.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-11T20:15:07.420", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}