Miggo Logo

CVE-2024-29892: ZITADEL's actions can overload reserved claims

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.39195%
Published
3/28/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/zitadel/zitadelgo< 2.42.172.42.17
github.com/zitadel/zitadelgo>= 2.43.0, < 2.43.112.43.11
github.com/zitadel/zitadelgo>= 2.44.0, < 2.44.72.44.7
github.com/zitadel/zitadelgo>= 2.45.0, < 2.45.52.45.5
github.com/zitadel/zitadelgo>= 2.46.0, < 2.46.52.46.5
github.com/zitadel/zitadelgo>= 2.47.0, < 2.47.82.47.8
github.com/zitadel/zitadelgo>= 2.48.0, < 2.48.32.48.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authorization checks when processing custom claims in actions. The patch commits (e.g. c4c34cb, ad0589d) mention adding protection against custom urn:zitadel:iam claims, indicating the vulnerable code was in the claim processing path. While exact function names aren't visible, ZITADEL's architecture suggests flow.go handles action processing. The confidence is high because: 1) The vulnerability directly relates to claim processing 2) Fix commits explicitly mention claim validation improvements 3) Multiple release notes confirm the pattern of adding reserved claim validation

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Un**r **rt*in *ir*umst*n**s *n **tion *oul* s*t [r*s*rv** *l*ims](*ttps://zit***l.*om/*o*s/*pis/op*ni*o*ut*/*l*ims#r*s*rv**-*l*ims) m*n**** *y ZIT***L. *or *x*mpl* it woul* ** possi*l* to s*t t** *l*im `urn:zit***l:i*m:us*r:r*sour**own*r:

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks w**n pro**ssin* *ustom *l*ims in **tions. T** p*t** *ommits (*.*. `*******`, `*******`) m*ntion ***in* prot**tion ***inst *ustom urn:zit***l:i*m *l*ims, in*i**tin* t** vuln*r**l* *o** w*s in t
CVE-2024-29892: ZITADEL Actions Claim PrivEsc | Miggo