5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-22492

GHSA ID

GHSA-6rrr-78xp-5jp8

EPSS Score

0.24324%

CWE

CWE-613

Published

1/11/2023

Updated

1/24/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-22492

CVE-2023-22492: Zitadel RefreshToken invalidation vulnerability

Impact

RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI.

RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant.

When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration).

Patches

2.x versions are fixed on >= 2.17.3 2.16.x versions are fixed on >= 2.16.4

ZITADEL recommends upgrading to the latest versions available in due course.

Workarounds

Ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements.

References

https://zitadel.com/docs/guides/manage/console/instance-settings#oidc-token-lifetimes-and-expiration

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-22492

GHSA ID

GHSA-6rrr-78xp-5jp8

EPSS Score

0.24324%

CWE

CWE-613

Published

1/11/2023

Updated

1/24/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/zitadel/zitadel	go	>= 2.17.0, < 2.17.3	2.17.3
github.com/zitadel/zitadel	go	>= 2.0.0, < 2.16.4	2.16.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key flaws: 1) Token issuance allowed non-active users due to a weak state check (isUserStateExists instead of explicit active state check). 2) Token refresh logic didn't properly respond to account status changes (locked/deactivated). The commit fixes these by: a) Changing the user state check to require UserStateActive in addUserToken, and b) Adding explicit handling of deactivation/lock events in the token write model's Reduce method to mark tokens as invalid.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t R**r*s*Tok*ns is *n O*ut* *.* ***tur* t**t *llows *ppli**tions to r*tri*v* n*w ****ss tok*ns *n* r**r*s* t** us*r's s*ssion wit*out t** n*** *or int*r**tin* wit* * UI. R**r*s*Tok*ns w*r* not inv*li**t** w**n * us*r w*s lo*k** or ****tiv*t

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *l*ws: *) Tok*n issu*n** *llow** non-**tiv* us*rs *u* to * w**k st*t* ****k (isUs*rSt*t**xists inst*** o* *xpli*it **tiv* st*t* ****k). *) Tok*n r**r*s* lo*i* *i*n't prop*rly r*spon* to ***ount st*tus ***n**s (l

5.9

Basic Information

Concerned about an active attack path?

CVE-2023-22492: Zitadel RefreshToken invalidation vulnerability

Impact

Patches

Workarounds

References

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI