CVE-2024-29892 MEDIUM

CVE-2024-29892: ZITADEL's actions can overload reserved claims

Vendor Zitadel
Product zitadel
Weakness CWE-863 · Incorrect authorization
Published March 27, 2024
Last update August 13, 2024
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.

Key dates

02Disclosure timeline

March 27, 2024 CVE published
August 13, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-32001 OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication CVE-2026-42296 Argo Workflows has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure CVE-2021-24207 WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts CVE-2023-50732 Velocity execution without script right through tree macro CVE-2026-44283 etcd: Read access via PrevKv in etcd transactions may bypass RBAC authorization checks