CVE-2024-47060

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Published Sep 20, 2024
CWE ID 200

Summary

CVE-2024-47060 identifies a vulnerability in the Zitadel open-source identity management platform, affecting versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10, which allows unauthorized access to applications even after an organization or project has been deactivated. This occurs because the application lifecycle is not properly linked to the organization's status, allowing users from other organizations to continue accessing these applications without proper authorization post-deactivation. The potential risk for organizations includes unauthorized access to sensitive resources associated with deactivated projects, which can lead to data breaches or unauthorized information exposure (CWE-200). To remediate this vulnerability, it is advised that organizations upgrade to the latest version of Zitadel where this issue has been addressed and ensure that application lifecycles are correctly managed in relation to organizational statuses. The vulnerability has a medium severity rating with a CVSS base score of 4.3 and an exploitability score of 2.8, indicating a low attack complexity and requiring minimal privileges for exploitation.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share