Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Zitadel
  • Zitadel

No data.

No data.

References
Link Providers
https://github.com/zitadel/zitadel/releases/tag/v2.58.7 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.59.5 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.60.4 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.61.4 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.62.8 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.63.6 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.64.1 cve-icon cve-icon
https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv cve-icon cve-icon
History

Fri, 25 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Zitadel
Zitadel zitadel
CPEs cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
Vendors & Products Zitadel
Zitadel zitadel
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 25 Oct 2024 14:15:00 +0000

Type Values Removed Values Added
Description Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.
Title Denied Host Validation Bypass in Zitadel Actions
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-10-25T14:11:44.092Z

Updated: 2024-10-25T16:17:38.587Z

Reserved: 2024-10-18T13:43:23.451Z

Link: CVE-2024-49753

cve-icon Vulnrichment

Updated: 2024-10-25T16:17:32.905Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-25T14:15:12.280

Modified: 2024-10-28T13:58:09.230

Link: CVE-2024-49753

cve-icon Redhat

No data.