CVE-2023-22492 — MEDIUM (5.9)

Q: How severe is CVE-2023-22492?

CVE-2023-22492 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-22492?

Check the references section above for vendor advisories and patch information. Affected products include: Zitadel Zitadel.

Vulnerability Description

ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Zitadel	Zitadel	>= 2.0.0, < 2.16.4

Related Weaknesses (CWE)

CWE-613

References

https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301aPatchThird Party Advisory
https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494PatchThird Party Advisory
https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8PatchThird Party Advisory
https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301aPatchThird Party Advisory
https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494PatchThird Party Advisory
https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8PatchThird Party Advisory

FAQ

What is CVE-2023-22492?

CVE-2023-22492 is a vulnerability with a CVSS score of 5.9 (MEDIUM). ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interac...

How severe is CVE-2023-22492?

CVE-2023-22492 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-22492?

Check the references section above for vendor advisories and patch information. Affected products include: Zitadel Zitadel.