Vulnerability Description
Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised t upgrade. Users unable to upgrade may instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized. Be sure to revoke all existing authentication keys associated with the service account and to rotate the service account's password.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zitadel | Zitadel | < 2.54.10 |
Related Weaknesses (CWE)
References
- https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393PatchVendor Advisory
FAQ
What is CVE-2024-47000?
CVE-2024-47000 is a vulnerability with a CVSS score of 8.1 (HIGH). Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to...
How severe is CVE-2024-47000?
CVE-2024-47000 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-47000?
Check the references section above for vendor advisories and patch information. Affected products include: Zitadel Zitadel.