Skip to content

ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass

Moderate severity GitHub Reviewed Published Apr 25, 2024 in zitadel/zitadel • Updated Aug 7, 2024

Package

gomod github.com/zitadel/zitadel (Go)

Affected versions

< 2.50.0

Patched versions

2.50.0

Description

Impact

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email.

While ZITADEL already gives administrators the option to define a Lockout Policy with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks.

Patches

2.x versions are fixed on >= 2.50.0

Workarounds

There is no workaround since a patch is already available.

References

None

Questions

If you have any questions or comments about this advisory, please email us at [email protected]

Credits

Thanks to Jack Moran from Layer 9 Information Security, Ethan from zxsecurity and Amit Laish from GE Vernova for finding and reporting the vulnerability.

References

@livio-a livio-a published to zitadel/zitadel Apr 25, 2024
Published to the GitHub Advisory Database Apr 25, 2024
Reviewed Apr 25, 2024
Published by the National Vulnerability Database Apr 26, 2024
Last updated Aug 7, 2024

Severity

Moderate

EPSS score

0.043%
(10th percentile)

CVE ID

CVE-2024-32868

GHSA ID

GHSA-7j7j-66cv-m239

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.