CVE-2024-49753

Improper Input Validation (CWE-20)

Published: Oct 25, 2024 / Updated: 25d ago

010
CVSS 5.9EPSS 0.04%Medium
CVE info copied to clipboard

Summary

Zitadel, an open-source identity infrastructure software, has a vulnerability in its URL validation mechanism for Zitadel actions. The flaw allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, which is designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures.

Impact

This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. The impact is significant, with high confidentiality and integrity impacts, although availability is not affected. The CVSS v3.1 base score is 5.9, indicating a medium severity level. The attack vector is network-based, requiring high attack complexity and high privileges, but no user interaction.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain the fix for this vulnerability.

Mitigation

The primary mitigation is to update to a patched version of Zitadel. Organizations should upgrade to one of the following versions based on their current installation: 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, or 2.58.7. No known workarounds are available, making the update crucial for addressing this security issue.

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Oct 25, 2024 at 5:41 AM
CVE Assignment

NVD published the first details for CVE-2024-49753

Oct 25, 2024 at 2:15 PM
CVSS

A CVSS base score of 5.9 has been assigned.

Oct 25, 2024 at 2:21 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-49753. See article

Oct 25, 2024 at 2:22 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 25, 2024 at 2:22 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 14%)

Oct 26, 2024 at 9:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (757378)

Nov 5, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (210390)

Nov 6, 2024 at 12:15 PM
Static CVE Timeline Graph

Affected Systems

Zitadel/zitadel
+null more

Patches

Github Advisory
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

[GHSA-6cf5-w9h3-4rqv] Denied Host Validation Bypass in Zitadel Actions
The relevant action code demonstrates the attempted request to 127.0.0.1: let http = require('zitadel/http') The modified action code uses the custom domain instead of 127.0.0.1: let http = require('zitadel/http')

News

SUSE SLES15 / openSUSE 15 Security Update : govulncheck-vulndb (SUSE-SU-2024:3911-1)
The remote SUSE host is missing one or more security updates. The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3911-1 advisory.
suse_linux SUSE-SU-2024:3911-1: SUSE SLES15 / openSUSE 15 : Security update for govulncheck-vulndb (Important) (SUSE-SU-2024:3911-1)
Testing Last Updated: 11/6/2024 CVEs: CVE-2024-49757 , CVE-2024-47182 , CVE-2024-8037 , CVE-2024-47827 , CVE-2024-8996 , CVE-2024-9264 , CVE-2024-47003 , CVE-2024-33662 , CVE-2024-47067 , CVE-2024-9180 , CVE-2024-49753 , CVE-2024-8038 , CVE-2024-9407 , CVE-2024-48921 , CVE-2024-47877 , CVE-2024-10214 , CVE-2023-32197 , CVE-2024-47832 , CVE-2024-8901 , CVE-2024-39223 , CVE-2024-9355 , CVE-2024-9313 , CVE-2024-8975 , CVE-2024-9341 , CVE-2024-36814 , CVE-2024-49381 , CVE-2024-22036 , CVE-2024-9486 , CVE-2024-47825 , CVE-2024-7558 , CVE-2023-22644 , CVE-2024-9594 , CVE-2024-47616 , CVE-2024-10241 , CVE-2024-49380 , CVE-2022-45157 , CVE-2024-38365 , CVE-2024-47534 , CVE-2024-48909 , CVE-2024-9312 , CVE-2024-7594 , CVE-2024-22030 , CVE-2024-9675 , CVE-2024-50312
Security: Mehrere Probleme in govulncheck-vulndb (SUSE)
* SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE: 2024:3911-1 important: govulncheck-vulndb Security Advisory Updates
* jsc#PED-11136 Cross-References: * CVE-2022-45157 * CVE-2023-22644
openSUSE: 2024:3911-1: important: govulncheck-vulndb Security Advisory Update
This update for govulncheck-vulndb fixes the following issues: Update to version 0.0.20241030T212825 2024-10-30T21:28:25Z ( jsc#PED-11136 )
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI