Miggo Logo

CVE-2023-22492: Zitadel RefreshToken invalidation vulnerability

5.9

CVSS Score
3.1

Basic Information

EPSS Score
0.24324%
Published
1/11/2023
Updated
1/24/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/zitadel/zitadelgo>= 2.17.0, < 2.17.32.17.3
github.com/zitadel/zitadelgo>= 2.0.0, < 2.16.42.16.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key flaws: 1) Token issuance allowed non-active users due to a weak state check (isUserStateExists instead of explicit active state check). 2) Token refresh logic didn't properly respond to account status changes (locked/deactivated). The commit fixes these by: a) Changing the user state check to require UserStateActive in addUserToken, and b) Adding explicit handling of deactivation/lock events in the token write model's Reduce method to mark tokens as invalid.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t R**r*s*Tok*ns is *n O*ut* *.* ***tur* t**t *llows *ppli**tions to r*tri*v* n*w ****ss tok*ns *n* r**r*s* t** us*r's s*ssion wit*out t** n*** *or int*r**tin* wit* * UI. R**r*s*Tok*ns w*r* not inv*li**t** w**n * us*r w*s lo*k** or ****tiv*t

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *l*ws: *) Tok*n issu*n** *llow** non-**tiv* us*rs *u* to * w**k st*t* ****k (isUs*rSt*t**xists inst*** o* *xpli*it **tiv* st*t* ****k). *) Tok*n r**r*s* lo*i* *i*n't prop*rly r*spon* to ***ount st*tus ***n**s (l