{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47060", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-17T17:42:37.027Z", "datePublished": "2024-09-19T23:08:01.375Z", "dateUpdated": "2024-09-20T15:28:08.556Z"}, "containers": {"cna": {"title": "Unauthorized Access After Organization or Project Deactivation in Zitadel", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8"}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"version": ">= 2.62.0, < 2.62.1", "status": "affected"}, {"version": ">= 2.61.0, < 2.61.1", "status": "affected"}, {"version": ">= 2.60.0, < 2.60.2", "status": "affected"}, {"version": ">= 2.59.0, < 2.59.3", "status": "affected"}, {"version": ">= 2.58.0, < 2.58.5", "status": "affected"}, {"version": ">= 2.57.0, < 2.57.5", "status": "affected"}, {"version": ">= 2.56.0, < 2.56.6", "status": "affected"}, {"version": ">= 2.55.0, < 2.55.8", "status": "affected"}, {"version": "< 2.54.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-19T23:08:01.375Z"}, "descriptions": [{"lang": "en", "value": "Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore."}], "source": {"advisory": "GHSA-jj94-6f5c-65r8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-20T15:27:59.964305Z", "id": "CVE-2024-47060", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T15:28:08.556Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47060", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-20T15:27:59.964305Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T15:28:05.352Z"}}], "cna": {"title": "Unauthorized Access After Organization or Project Deactivation in Zitadel", "source": {"advisory": "GHSA-jj94-6f5c-65r8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"status": "affected", "version": ">= 2.62.0, < 2.62.1"}, {"status": "affected", "version": ">= 2.61.0, < 2.61.1"}, {"status": "affected", "version": ">= 2.60.0, < 2.60.2"}, {"status": "affected", "version": ">= 2.59.0, < 2.59.3"}, {"status": "affected", "version": ">= 2.58.0, < 2.58.5"}, {"status": "affected", "version": ">= 2.57.0, < 2.57.5"}, {"status": "affected", "version": ">= 2.56.0, < 2.56.6"}, {"status": "affected", "version": ">= 2.55.0, < 2.55.8"}, {"status": "affected", "version": "< 2.54.10"}]}], "references": [{"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8", "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-19T23:08:01.375Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47060", "state": "PUBLISHED", "dateUpdated": "2024-09-20T15:28:08.556Z", "dateReserved": "2024-09-17T17:42:37.027Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-19T23:08:01.375Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B57963B2-68B5-4E7C-97B7-64304BB64F6C", "versionEndExcluding": "2.54.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD559AF6-7A21-405F-A421-B801F37B9B3C", "versionEndExcluding": "2.55.8", "versionStartIncluding": "2.55.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "04A51D71-DC37-4443-AFD4-5C1DACBD9026", "versionEndExcluding": "2.56.6", "versionStartIncluding": "2.56.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A379F08-C3D5-4C5F-8799-AC2E9097A655", "versionEndExcluding": "2.57.5", "versionStartIncluding": "2.57.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "095B9185-EB6C-4601-95AC-C1F8CE4CF757", "versionEndExcluding": "2.58.5", "versionStartIncluding": "2.58.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "790DC952-225B-4AAA-873C-EACDE249982B", "versionEndExcluding": "2.59.3", "versionStartIncluding": "2.59.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "89E084F5-D132-4244-8E7C-4E26E033A636", "versionEndExcluding": "2.60.2", "versionStartIncluding": "2.60.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:2.61.0:*:*:*:*:*:*:*", "matchCriteriaId": "ED36FAD4-DAB7-41FE-8C14-119B24E2CCCC", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:2.62.0:*:*:*:*:*:*:*", "matchCriteriaId": "D15D8180-D356-4933-8390-19B2DCE2D89F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore."}, {"lang": "es", "value": "Zitadel es una plataforma de gesti\u00f3n de identidades de c\u00f3digo abierto. En Zitadel, incluso despu\u00e9s de que se desactiva una organizaci\u00f3n, los proyectos asociados y sus aplicaciones permanecen activos. Los usuarios de otras organizaciones a\u00fan pueden iniciar sesi\u00f3n y acceder a trav\u00e9s de estas aplicaciones, lo que genera acceso no autorizado. Adem\u00e1s, si se desactiva un proyecto, tambi\u00e9n se puede acceder a las aplicaciones. El problema surge del hecho de que cuando se desactiva una organizaci\u00f3n en Zitadel, las aplicaciones asociadas a ella no se desactivan autom\u00e1ticamente. El ciclo de vida de la aplicaci\u00f3n no est\u00e1 estrechamente vinculado con el ciclo de vida de la organizaci\u00f3n, lo que genera una situaci\u00f3n en la que la organizaci\u00f3n o el proyecto se marcan como inactivos, pero sus recursos siguen siendo accesibles. Esta vulnerabilidad permite el acceso no autorizado a los proyectos y sus recursos, que deber\u00edan haber estado restringidos despu\u00e9s de la desactivaci\u00f3n de la organizaci\u00f3n. Se han publicado las versiones 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8 y 2.54.10 que solucionan este problema. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar la versi\u00f3n pueden deshabilitar expl\u00edcitamente la aplicaci\u00f3n para asegurarse de que el cliente ya no est\u00e9 autorizado."}], "id": "CVE-2024-47060", "lastModified": "2024-09-25T16:43:47.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-20T00:15:03.767", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}