CVE-2024-32868 MEDIUM

CVE-2024-32868: ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass

Vendor Zitadel
Product zitadel
Weakness CWE-307 · Brute force
Published April 25, 2024
Last update August 5, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.

Key dates

02Disclosure timeline

April 25, 2024 CVE published
August 5, 2024 Record updated