CVE-2024-47000

Summary

CVE-2024-47000 describes a vulnerability in ZITADEL, an open-source identity management platform, where the user account deactivation mechanism incorrectly processes service accounts, allowing them to retain the ability to request tokens even after deactivation. This issue affects versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 of ZITADEL and poses a high-risk threat by potentially granting unauthorized access to applications and resources due to improper privilege management (CWE-269). To remediate this, users are advised to upgrade to the latest versions or alternatively create new credentials for service accounts instead of just deactivating them while ensuring that all existing authentication keys are revoked and passwords rotated effectively. The vulnerability has a base severity rating of high (8.1) with a low attack complexity and does not require user interaction for exploitation through network access (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). Organizations using affected versions should prioritize addressing this vulnerability to mitigate potential security risks associated with unauthorized access.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.