Upstream information
Description
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
CNA (GitHub) | |
---|---|
Base Score | 7.5 |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality Impact | High |
Integrity Impact | None |
Availability Impact | None |
CVSSv3 Version | 3.1 |
SUSE Security Advisories:
- SUSE-SU-2024:3911-1, published 2024-11-05T07:45:06Z
- openSUSE-SU-2024:14447-1, published Sat Nov 2 18:49:02 2024
List of released packages
Product(s) | Fixed package version(s) | References |
---|---|---|
SUSE Linux Enterprise Module for Package Hub 15 SP5 |
| Patchnames: SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-3911 |
SUSE Linux Enterprise Module for Package Hub 15 SP6 |
| Patchnames: SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3911 |
SUSE Package Hub 12 |
| Patchnames: openSUSE-2024-350 |
openSUSE Leap 15.5 |
| Patchnames: openSUSE-SLE-15.5-2024-3911 |
openSUSE Leap 15.6 |
| Patchnames: openSUSE-SLE-15.6-2024-3911 |
openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2024-14447 |
SUSE Timeline for this CVE
CVE page created: Fri Oct 25 18:00:39 2024CVE page last modified: Tue Nov 5 16:57:16 2024