Description

Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.

INFO

Published Date :

2024-10-25T14:11:44.092Z

Last Modified :

2024-10-25T16:17:38.587Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-49753 vulnerability.

Vendors Products
Zitadel
  • Zitadel
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-49753.

URL Resource
https://github.com/zitadel/zitadel/releases/tag/v2.58.7 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.59.5 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.60.4 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.61.4 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.62.8 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.63.6 cve-icon cve-icon
https://github.com/zitadel/zitadel/releases/tag/v2.64.1 cve-icon cve-icon
https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact