CVE-2024-32868

Опубликовано: 26 апр. 2024

Источник: nvd

CVSS3: 6.5

CVSS3: 8.1

EPSS Низкий

Описание

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a Lockout Policy with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.

Ссылки

https://github.com/zitadel/zitadel/releases/tag/v2.50.0
Release Notes
https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239
Vendor Advisory
https://github.com/zitadel/zitadel/releases/tag/v2.50.0
Release Notes
https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*

Версия до 2.50.0 (исключая)

EPSS

Процентиль: 35%

0.00141

Низкий

6.5 Medium

CVSS3

8.1 High

CVSS3

Дефекты

CWE-297

CWE-307

Связанные уязвимости

GHSA-7j7j-66cv-m239

CVSS3: 6.5

github

почти 2 года назад

ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass

EPSS

Процентиль: 35%

0.00141

Низкий

6.5 Medium

CVSS3

8.1 High

CVSS3

Дефекты

CWE-297

CWE-307