Zitadel is an open-source identity infrastructure software that provides a wide range of features, including user authentication, authorization, and managing user accounts. In this post, we are going to discuss a vulnerability identified as CVE-2024-49757 that affects Zitadel versions prior to 2.64., 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7. The vulnerability allows users to bypass the self-registration restriction enforced by the administrator.

Vulnerability Details

Zitadel allows administrators to disable user self-registration by setting the "User Registration allowed" option to off. However, in versions prior to the ones mentioned above, this setting only hid the registration button on the login page instead of completely disabling the registration functionality. Consequently, users could still access the registration URL directly and register a user account by navigating to /ui/login/loginname.

Code Snippet

The following code snippet demonstrates how a user can bypass the self-registration restriction in the vulnerable Zitadel versions:

# Visit the Zitadel login page
https://example.com/ui/login

# Access the registration URL directly
https://example.com/ui/login/loginname

Affected Versions

Vulnerable versions are those prior to 2.64., 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7.

Patch

Zitadel has released a patch for the vulnerability in versions 2.64., 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7.

No known workarounds are available. Users should upgrade to one of the patched versions immediately.

Original References

1. Zitadel official GitHub repository: https://github.com/caos/zitadel
2. Zitadel release notes containing the patched versions: https://github.com/caos/zitadel/releases

Conclusion

CVE-2024-49757 is a vulnerability in Zitadel's open-source identity infrastructure software that affects user self-registration. Administrators using vulnerable versions should upgrade to the latest patched version as soon as possible to ensure the security of their organizations. The patch ensures that the self-registration functionality is properly disabled when the "User Registration allowed" option is set to off by the administrator, providing a secure environment for managing user accounts.

Timeline

Published on: 10/25/2024 15:15:18 UTC
Last modified on: 10/28/2024 13:58:09 UTC