8000 x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-g4r8-mp7g-85fq · Issue #3668 · golang/vulndb · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-g4r8-mp7g-85fq #3668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
GoVulnBot opened this issue May 6, 2025 · 0 comments
Open

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-g4r8-mp7g-85fq #3668

GoVulnBot opened this issue May 6, 2025 · 0 comments
Labels
NeedsTriage

Comments

@GoVulnBot
Copy link

Advisory GHSA-g4r8-mp7g-85fq references a vulnerability in the following Go modules:

Module
github.com/zitadel/zitadel

Description:

Impact

ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents.

Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session.

However, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and tok...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      non_go_versions:
        - introduced: TODO (earliest fixed "2.71.9", vuln range ">= 2.71.0, <= 2.71.8")
        - introduced: TODO (earliest fixed "3.0.0", vuln range ">= 3.0.0-rc.1, <= 3.0.0-rc.3")
        - fixed: 2.70.10
      vulnerable_at: 1.87.5
summary: ZITADEL Allows IdP Intent Token Reuse in github.com/zitadel/zitadel
cves:
    - CVE-2025-46815
ghsas:
    - GHSA-g4r8-mp7g-85fq
references:
    - advisory: https://github.com/advisories/GHSA-g4r8-mp7g-85fq
    - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq
    - fix: https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.70.10
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.71.9
    - web: https://github.com/zitadel/zitadel/releases/tag/v3.0.0
notes:
    - fix: 'module merge error: could not merge versions of module github.com/zitadel/zitadel: invalid or non-canonical semver version (found TODO (earliest fixed "2.71.9", vuln range ">= 2.71.0, <= 2.71.8"))'
source:
    id: GHSA-g4r8-mp7g-85fq
    created: 2025-05-06T17:01:36.500865281Z
review_status: UNREVIEWED
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsTriage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoVulnBot
0