CVE-2023-44399 MEDIUM

CVE-2023-44399: ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting

Vendor Zitadel
Product zitadel
Weakness CWE-640 · Weak password recovery
Published October 10, 2023
Last update September 19, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.

Key dates

02Disclosure timeline

October 10, 2023 CVE published
September 19, 2024 Record updated