1. Home
  2. CVE Database
  3. CVE-2024-29892
MEDIUM · 6.1

CVE-2024-29892

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it wo...

Vulnerability Description

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
ZitadelZitadel< 2.42.17

Related Weaknesses (CWE)

CWE-863

References

FAQ

What is CVE-2024-29892?

CVE-2024-29892 is a vulnerability with a CVSS score of 6.1 (MEDIUM). ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it wo...

How severe is CVE-2024-29892?

CVE-2024-29892 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-29892?

Check the references section above for vendor advisories and patch information. Affected products include: Zitadel Zitadel.