Vulnerability Description
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zitadel | Zitadel | < 2.50.0 |
Related Weaknesses (CWE)
References
- https://github.com/zitadel/zitadel/releases/tag/v2.50.0Release Notes
- https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239Vendor Advisory
- https://github.com/zitadel/zitadel/releases/tag/v2.50.0Release Notes
- https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239Vendor Advisory
FAQ
What is CVE-2024-32868?
CVE-2024-32868 is a vulnerability with a CVSS score of 6.5 (MEDIUM). ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `...
How severe is CVE-2024-32868?
CVE-2024-32868 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-32868?
Check the references section above for vendor advisories and patch information. Affected products include: Zitadel Zitadel.