Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2024/VULN446 _____________________________________________________________________ DATE : 28/10/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running ZITADEL versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, 2.58.7. ===================================================================== https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc _____________________________________________________________________ User Registration Bypass High livio-a published GHSA-3rmw-76m6-4gjc Oct 25, 2024 Package ZITADEL (ZITADEL) Affected versions <2.58.6, <2.59.4, <2.60.3, <2.61.3, <2.62.6, < 2.63.4, Patched versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, 2.58.7 Description Impact Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.63.4, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Patches 2.x versions are fixed on >= 2.64.0 2.63.x versions are fixed on >= 2.63.5 2.62.x versions are fixed on >= 2.62.7 2.61.x versions are fixed on >= 2.61.4 2.60.x versions are fixed on >= 2.60.4 2.59.x versions are fixed on >= 2.59.5 2.58.x versions are fixed on >= 2.58.7 Workarounds Updating to the patched version is the recommended solution. Questions If you have any questions or comments about this advisory, please email us at security@zitadel.com Credits Thanks to @sevensolutions and @evilgensec for disclosing this! Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE ID CVE-2024-49757 Weaknesses No CWEs Credits @evilgensec evilgensec Reporter @sevensolutions sevensolutions Reporter @fforootd fforootd Coordinator ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================