CVE-2023-49097 HIGH

CVE-2023-49097: ZITADEL vulnerable account takeover via malicious host header injection

Vendor Zitadel

Product zitadel

Weakness CWE-640 · Weak password recovery

Published November 30, 2023

Last update November 27, 2024

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.

Key dates

02Disclosure timeline

November 30, 2023 CVE published

November 27, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-49097 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/640.html

Related vulnerabilities

Identifiers

CVE CVE-2023-49097

CWE CWE-640

CVSS 8.1 / HIGH

Affected versions

Vendor Zitadel

Product zitadel

Affected >= 2.39.0, < 2.39.9

Vendor Zitadel

Product zitadel

Affected >= 2.40.0, < 2.40.10

Vendor Zitadel

Product zitadel

Affected >= 2.41.0, < 2.41.6

CVE-2023-49097: ZITADEL vulnerable account takeover via malicious host header injection

01Description

02Disclosure timeline

03References

04Related CVE