CVE-2024-32967

MEDIUM5.3EPSS 0.39%

Zitadel exposing internal database user name and host information

Published: 5/1/2024Modified: 7/8/2024
Also known as:GHSA-q5qj-x2h5-3945GO-2024-2804

Description

### Impact In case ZITADEL could not connect to the database, connection information including db name, username and db host name could be returned to the user. ### Patches 2.x versions are fixed on >= [2.50.3](https://github.com/zitadel/zitadel/releases/tag/v2.50.3) 2.49.x versions are fixed on >= [2.49.5](https://github.com/zitadel/zitadel/releases/tag/v2.49.5) 2.48.x versions are fixed on >= [2.48.5](https://github.com/zitadel/zitadel/releases/tag/v2.48.5) 2.47.x versions are fixed on >= [2.47.10](https://github.com/zitadel/zitadel/releases/tag/v2.47.10) 2.46.x versions are fixed on >= [2.46.7](https://github.com/zitadel/zitadel/releases/tag/v2.46.7) 2.45.x versions are fixed on >= [2.45.7](https://github.com/zitadel/zitadel/releases/tag/v2.45.7) ### Workarounds There is no workaround since a patch is already available. ### Questions If you have any questions or comments about this advisory, please email us at [[email protected]](mailto:[email protected])

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osvCVSS 3.1MEDIUM5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (10)