Описание
ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to 2.53.0 are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue.
Ссылки
- Release Notes
- Release Notes
- Release Notes
- Release Notes
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 2.53.0 (включая) до 2.70.14 (исключая)Версия от 2.71.0 (включая) до 2.71.13 (исключая)Версия от 3.0.0 (включая) до 3.3.1 (исключая)
Одно из
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
cpe:2.3:a:zitadel:zitadel:4.0.0:rc1:*:*:*:*:*:*
EPSS
Процентиль: 21%
0.00069
Низкий
8.8 High
CVSS3
Дефекты
CWE-384
EPSS
Процентиль: 21%
0.00069
Низкий
8.8 High
CVSS3
Дефекты
CWE-384