ZITADEL's actions can overload reserved claims
Package
Affected versions
< 2.42.17
>= 2.43.0, < 2.43.11
>= 2.44.0, < 2.44.7
>= 2.45.0, < 2.45.5
>= 2.46.0, < 2.46.5
>= 2.47.0, < 2.47.8
>= 2.48.0, < 2.48.3
Patched versions
2.42.17
2.43.11
2.44.7
2.45.5
2.46.5
2.47.8
2.48.3
Description
Published by the National Vulnerability Database
Mar 27, 2024
Published to the GitHub Advisory Database
Mar 28, 2024
Reviewed
Mar 28, 2024
Last updated
Mar 28, 2024
Credits
-
schettn Finder
-
fforootd Coordinator
-
adlerhurst Remediation reviewer
-
livio-a Remediation developer
Impact
Under certain circumstances an action could set reserved claims managed by ZITADEL.
For example it would be possible to set the claim
urn:zitadel:iam:user:resourceowner:name{"urn:zitadel:iam:user:resourceowner:name": "ACME"}if it was not set by ZITADEL itself.
To compensate for this we introduced a protection that does prevent actions from changing claims that start with
urn:zitadel:iamPatches
2.x versions are fixed on >= 2.48.3
2.47.x versions are fixed on >= 2.47.8
2.46.x versions are fixed on >= 2.46.5
2.45.x versions are fixed on >= 2.45.5
2.44.x versions are fixed on >= 2.44.7
2.43.x versions are fixed on >= 2.43.11
2.42.x versions are fixed on >= 2.42.17
Workarounds
No workaround available since a patch is available
Credits
Many thanks to @schettn whose disclosure of another topic lead us to find this issue.
References