CVE-2022-36051

 

Published at: - 01-09-2022 01:15

Last modified: - 09-09-2022 05:12

Total changes: - 3

Description

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://github.com/zitadel/zitadel/releases/tag/v1.87.1
• https://github.com/zitadel/zitadel/releases/tag/v2.2.0
• https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c

 

Keywords

NVD

 

CVE-2022-36051

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures