CVE-2023-44399
Summary
| CVE | CVE-2023-44399 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-10-10 17:15:00 UTC |
| Updated | 2023-10-23 19:22:00 UTC |
| Description | ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available. |
Risk And Classification
Problem Types: CWE-640
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Release v2.38.0 · zitadel/zitadel · GitHub | MISC | github.com | |
| Release v2.37.3 · zitadel/zitadel · GitHub | MISC | github.com | |
| Password reset does not respect the "Ignoring unknown usernames" setting · Advisory · zitadel/zitadel · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 995543 GO (Go) Security Update for github.com/zitadel/zitadel (GHSA-v683-rcxx-vpff)