CVE-2022-36051

HIGH8.7EPSS 0.30%

Broken Authorization in ZITADEL Actions

Published: 8/30/2022Modified: 11/8/2023
Also known as:GHSA-c8fj-4pm8-mp2c

Description

### Impact **Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role `ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organisations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. ### Patches 2.x versions are fixed on >= [2.2.0](https://github.com/zitadel/zitadel/releases/tag/v2.2.0) 1.x versions are fixed on >= [1.87.1](https://github.com/zitadel/zitadel/releases/tag/v1.87.1) ZITADEL recommends upgrading to the latest versions available in due course. ### Workarounds There is no workaround since a patch is already available. ### Who did disclose this During our recurring white box penetration test our external security consultant found this issue. The full report will be made public after the complete review. ### References https://docs.zitadel.com/docs/guides/manage/customize/behavior https://docs.zitadel.com/docs/apis/actions https://zitadel.com/blog/pentest-results-h1-2021 ### Questions If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH8.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

References (7)