{"id":"CVE-2024-39683","summary":"ZITADEL Vulnerable to Session Information Leakage","details":"ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available.","aliases":["GHSA-cvw9-c57h-3397","GO-2024-2968"],"modified":"2026-04-10T05:14:35.294133Z","published":"2024-07-03T19:20:08.880Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39683.json","cwe_ids":["CWE-200"]},"references":[{"type":"WEB","url":"https://discord.com/channels/927474939156643850/1254096852937347153"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.53.8"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.54.5"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.55.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39683.json"},{"type":"ADVISORY","url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39683"},{"type":"REPORT","url":"https://github.com/zitadel/zitadel/issues/8213"},{"type":"FIX","url":"https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04"},{"type":"FIX","url":"https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da"},{"type":"FIX","url":"https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73"},{"type":"FIX","url":"https://github.com/zitadel/zitadel/pull/8231"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"0"},{"last_affected":"9a9753a911a737649b2e592c20635e515cd2ef8f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"= 2.55.0"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"50e0e7d564e45cbc351b0b46d6a75dfd924ab528"},{"fixed":"4a262e42abac2208b02fefaf68ba1a5121649f04"}],"database_specific":{"versions":[{"introduced":"2.54.0"},{"fixed":"2.54.5"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"8ce3af2f9d7cc763ac9c72a038a7f3218259f062"},{"fixed":"c2093ce01507ca8fc811609ff5d391693360c3da"}],"database_specific":{"versions":[{"introduced":"2.53.0"},{"fixed":"2.53.8"}]}}],"versions":["2.20.0","cnsl-feature-dev","feat-new-mail-templates-dev","v0.0.0","v0.1.0","v0.10.0","v0.11.0","v0.119.0","v0.119.1","v0.119.2","v0.119.3","v0.119.4","v0.119.5","v0.119.6","v0.12.0","v0.120.0","v0.120.1","v0.121.0","v0.121.1","v0.121.2","v0.122.0","v0.122.1","v0.122.2","v0.122.3","v0.122.4","v0.122.5","v0.123.0","v0.123.1","v0.123.2","v0.123.3","v0.123.4","v0.123.5","v0.124.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.17.1","v0.18.0","v0.18.1","v0.18.2","v0.18.3","v0.19.0","v0.2.0","v0.20.0","v0.20.1","v0.20.2","v0.21.0","v0.22.0","v0.22.1","v0.22.2","v0.22.3","v0.22.4","v0.22.5","v0.22.6","v0.22.7","v0.23.0","v0.23.1","v0.24.0","v0.24.1","v0.24.2","v0.24.3","v0.25.0","v0.25.1","v0.26.0","v0.27.0","v0.28.0","v0.29.0","v0.29.1","v0.3.0","v0.3.1","v0.30.0","v0.30.1","v0.31.0","v0.31.1","v0.31.2","v0.31.3","v0.32.0","v0.32.1","v0.32.2","v0.33.0","v0.33.1","v0.33.2","v0.33.3","v0.33.4","v0.33.5","v0.34.0","v0.35.0","v0.35.1","v0.35.2","v0.36.0","v0.37.0","v0.38.0","v0.39.0","v0.39.1","v0.4.0","v0.4.1","v0.40.0","v0.40.1","v0.40.2","v0.40.3","v0.40.4","v0.41.0","v0.41.1","v0.42.0","v0.42.1","v0.42.2","v0.42.3","v0.42.4","v0.43.0","v0.43.1","v0.43.2","v0.44.0","v0.44.1","v0.44.2","v0.44.3","v0.45.0","v0.46.0","v0.46.1","v0.47.0","v0.47.1","v0.47.2","v0.47.3","v0.47.4","v0.47.5","v0.48.0","v0.49.0","v0.49.1","v0.5.0","v0.50.0","v0.51.0","v0.51.1","v0.52.0","v0.53.0","v0.53.1","v0.53.2","v0.53.3","v0.53.4","v0.53.5","v0.54.0","v0.54.1","v0.54.2","v0.54.3","v0.54.4","v0.54.5","v0.55.0","v0.55.1","v0.55.10","v0.55.11","v0.55.12","v0.55.13","v0.55.2","v0.55.3","v0.55.4","v0.55.5","v0.55.6","v0.55.7","v0.55.8","v0.55.9","v0.56.0","v0.56.1","v0.57.0","v0.57.1","v0.57.2","v0.58.0","v0.59.0","v0.59.1","v0.6.0","v0.60.0","v0.60.1","v0.61.0","v0.61.1","v0.61.2","v0.61.3","v0.61.4","v0.62.0","v0.63.0","v0.63.1","v0.64.0","v0.64.1","v0.64.2","v0.64.3","v0.64.4","v0.64.5","v0.64.6","v0.64.7","v0.65.0","v0.66.0","v0.66.1","v0.67.0","v0.67.1","v0.67.2","v0.68.0","v0.69.0","v0.69.1","v0.7.0","v0.70.0","v0.70.1","v0.71.0","v0.72.0","v0.73.0","v0.74.0","v0.74.1","v0.74.2","v0.74.3","v0.74.4","v0.75.0","v0.75.1","v0.75.2","v0.75.3","v0.75.4","v0.75.5","v0.76.0","v0.76.1","v0.76.2","v0.76.3","v0.77.0","v0.77.1","v0.77.2","v0.77.3","v0.77.4","v0.77.5","v0.78.0","v0.78.1","v0.78.2","v0.79.0","v0.8.0","v0.80.0","v0.80.1","v0.80.2","v0.81.0","v0.81.1","v0.81.2","v0.81.3","v0.81.4","v0.81.5","v0.81.6","v0.82.0","v0.82.1","v0.82.2","v0.82.3","v0.82.4","v0.83.0","v0.83.1","v0.83.2","v0.83.3","v0.83.4","v0.83.5","v0.83.6","v0.84.0","v0.84.1","v0.84.2","v0.84.3","v0.84.4","v0.85.0","v0.85.1","v0.85.2","v0.85.3","v0.85.4","v0.86.0","v0.86.1","v0.86.2","v0.87.0","v0.87.1","v0.88.0","v0.88.1","v0.88.2","v0.88.3","v0.9.0","v1-events-queries-dev","v1.0.0","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.1.0","v1.10.0","v1.10.1","v1.10.2","v1.10.3","v1.10.4","v1.10.5","v1.11.0","v1.11.1","v1.12.0","v1.12.1","v1.12.2","v1.12.3","v1.12.4","v1.12.5","v1.12.6","v1.12.7","v1.13.0","v1.14.0","v1.14.1","v1.15.0","v1.15.1","v1.16.0","v1.16.1","v1.16.2","v1.16.3","v1.16.4","v1.16.5","v1.16.6","v1.16.7","v1.16.8","v1.17.0","v1.17.1","v1.17.2","v1.17.3","v1.17.4","v1.17.5","v1.17.6","v1.17.7","v1.18.0","v1.18.1","v1.19.0","v1.19.1","v1.19.2","v1.19.3","v1.19.4","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.2.4","v1.2.5","v1.2.6","v1.2.7","v1.20.0","v1.20.1","v1.20.2","v1.20.3","v1.20.4","v1.20.5","v1.21.0","v1.21.1","v1.21.2","v1.21.3","v1.21.4","v1.22.0","v1.22.1","v1.22.10","v1.22.11","v1.22.12","v1.22.13","v1.22.2","v1.22.3","v1.22.4","v1.22.5","v1.22.6","v1.22.7","v1.22.8","v1.22.9","v1.23.0","v1.23.1","v1.23.2","v1.23.3","v1.23.4","v1.23.5","v1.24.0","v1.24.1","v1.24.2","v1.25.0","v1.25.1","v1.26.0","v1.26.1","v1.27.0","v1.27.1","v1.27.2","v1.27.3","v1.27.4","v1.28.0","v1.28.1","v1.28.2","v1.28.3","v1.28.4","v1.29.0","v1.29.1","v1.29.2","v1.29.3","v1.29.4","v1.29.5","v1.29.6","v1.3.0","v1.30.0","v1.30.1","v1.30.2","v1.31.0","v1.31.1","v1.32.0","v1.32.1","v1.32.2","v1.32.3","v1.32.4","v1.32.5","v1.33.0","v1.33.1","v1.34.0","v1.34.1","v1.34.10","v1.34.11","v1.34.2","v1.34.3","v1.34.4","v1.34.5","v1.34.6","v1.34.7","v1.34.8","v1.34.9","v1.35.0","v1.35.1","v1.36.0","v1.37.0","v1.38.0","v1.39.0","v1.39.1","v1.4.0","v1.40.0","v1.41.0","v1.41.1","v1.41.2","v1.41.3","v1.41.4","v1.42.0","v1.42.1","v1.42.2","v1.43.0","v1.43.1","v1.43.2","v1.43.3","v1.43.4","v1.44.0","v1.44.1","v1.44.2","v1.44.3","v1.45.0","v1.45.1","v1.45.2","v1.45.3","v1.45.4","v1.45.5","v1.45.6","v1.46.0","v1.46.1","v1.46.2","v1.46.3","v1.46.4","v1.47.0","v1.47.1","v1.47.2","v1.47.3","v1.47.4","v1.47.5","v1.47.6","v1.48.0","v1.48.1","v1.48.2","v1.48.3","v1.48.4","v1.48.5","v1.48.6","v1.48.7","v1.48.8","v1.49.0","v1.49.1","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.50.0","v1.50.1","v1.50.2","v1.50.3","v1.50.4","v1.51.0","v1.52.0","v1.52.1","v1.52.2","v1.53.0","v1.53.1","v1.53.2","v1.54.0","v1.54.1","v1.54.10","v1.54.2","v1.54.3","v1.54.4","v1.54.5","v1.54.6","v1.54.7","v1.54.8","v1.54.9","v1.55.0","v1.55.1","v1.55.2","v1.56.0","v1.56.1","v1.56.10","v1.56.11","v1.56.12","v1.56.13","v1.56.14","v1.56.15","v1.56.16","v1.56.17","v1.56.18","v1.56.19","v1.56.2","v1.56.20","v1.56.21","v1.56.22","v1.56.3","v1.56.4","v1.56.5","v1.56.6","v1.56.7","v1.56.8","v1.56.9","v1.57.0","v1.57.1","v1.58.0","v1.59.0","v1.59.1","v1.59.2","v1.59.3","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.6.5","v1.60.0","v1.60.1","v1.60.2","v1.60.3","v1.61.0","v1.62.0","v1.62.1","v1.62.2","v1.63.0","v1.64.0","v1.65.0","v1.66.0","v1.66.1","v1.66.2","v1.66.3","v1.66.4","v1.66.5","v1.66.6","v1.66.7","v1.66.8","v1.66.9","v1.67.0","v1.67.1","v1.68.0","v1.68.1","v1.69.0","v1.69.1","v1.69.2","v1.69.3","v1.69.4","v1.69.5","v1.69.6","v1.69.7","v1.69.8","v1.7.0","v1.7.1","v1.7.2","v1.7.3","v1.7.4","v1.70.0","v1.70.1","v1.70.2","v1.71.0","v1.71.1","v1.71.2","v1.72.0","v1.72.1","v1.73.0","v1.73.1","v1.73.2","v1.73.3","v1.73.4","v1.74.0","v1.75.0","v1.75.1","v1.75.2","v1.75.3","v1.75.4","v1.75.5","v1.75.6","v1.75.7","v1.75.8","v1.76.0","v1.76.1","v1.76.2","v1.77.0","v1.77.1","v1.77.2","v1.78.0","v1.79.0","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.8.4","v1.80.0-v2.1","v1.80.0-v2.10","v1.80.0-v2.11","v1.80.0-v2.12","v1.80.0-v2.13","v1.80.0-v2.14","v1.80.0-v2.15","v1.80.0-v2.16","v1.80.0-v2.17","v1.80.0-v2.18","v1.80.0-v2.19","v1.80.0-v2.2","v1.80.0-v2.20","v1.80.0-v2.3","v1.80.0-v2.4","v1.80.0-v2.5","v1.80.0-v2.6","v1.80.0-v2.7","v1.80.0-v2.8","v1.80.0-v2.9","v1.9.0","v1.9.1","v1.9.2","v2.0.0","v2.0.0-v2-alpha.1","v2.0.0-v2-alpha.10","v2.0.0-v2-alpha.11","v2.0.0-v2-alpha.12","v2.0.0-v2-alpha.13","v2.0.0-v2-alpha.14","v2.0.0-v2-alpha.15","v2.0.0-v2-alpha.16","v2.0.0-v2-alpha.17","v2.0.0-v2-alpha.18","v2.0.0-v2-alpha.19","v2.0.0-v2-alpha.2","v2.0.0-v2-alpha.20","v2.0.0-v2-alpha.21","v2.0.0-v2-alpha.22","v2.0.0-v2-alpha.23","v2.0.0-v2-alpha.24","v2.0.0-v2-alpha.25","v2.0.0-v2-alpha.26","v2.0.0-v2-alpha.27","v2.0.0-v2-alpha.28","v2.0.0-v2-alpha.29","v2.0.0-v2-alpha.3","v2.0.0-v2-alpha.30","v2.0.0-v2-alpha.31","v2.0.0-v2-alpha.32","v2.0.0-v2-alpha.33","v2.0.0-v2-alpha.34","v2.0.0-v2-alpha.35","v2.0.0-v2-alpha.36","v2.0.0-v2-alpha.37","v2.0.0-v2-alpha.38","v2.0.0-v2-alpha.39","v2.0.0-v2-alpha.4","v2.0.0-v2-alpha.40","v2.0.0-v2-alpha.41","v2.0.0-v2-alpha.42","v2.0.0-v2-alpha.43","v2.0.0-v2-alpha.44","v2.0.0-v2-alpha.5","v2.0.0-v2-alpha.6","v2.0.0-v2-alpha.7","v2.0.0-v2-alpha.8","v2.0.0-v2-alpha.9","v2.0.1","v2.1.0","v2.1.1","v2.10.0","v2.11.0","v2.11.1","v2.12.0","v2.13.0","v2.13.1","v2.14.0","v2.14.1","v2.14.2","v2.14.3","v2.14.4","v2.14.5","v2.15.0","v2.16.0","v2.16.1","v2.17.0","v2.17.1","v2.18.0","v2.19.0","v2.2.0","v2.20.0","v2.21.0","v2.22.0","v2.22.1","v2.22.2","v2.23.0","v2.23.1","v2.24.0","v2.25.0","v2.25.1","v2.25.2","v2.25.3","v2.26.0","v2.26.1","v2.26.2","v2.27.0","v2.27.1","v2.28.0","v2.28.1","v2.29.0","v2.29.1","v2.29.2","v2.29.3","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.30.0","v2.31.0","v2.31.1","v2.31.2","v2.31.3","v2.31.4","v2.31.5","v2.32.0","v2.33.0","v2.33.1","v2.34.0","v2.34.1","v2.35.0","v2.35.1","v2.36.0","v2.36.1","v2.36.2","v2.36.3","v2.37.0","v2.37.1","v2.37.2","v2.37.3","v2.38.0","v2.38.1","v2.39.0","v2.39.1","v2.39.2","v2.39.3","v2.4.0","v2.40.0","v2.40.1","v2.40.2","v2.40.3","v2.40.4","v2.40.5","v2.41.0","v2.41.1","v2.41.2","v2.41.3","v2.41.4","v2.41.5","v2.42.0","v2.42.1","v2.42.2","v2.42.3","v2.43.0","v2.43.1","v2.43.2","v2.43.3","v2.43.4","v2.43.5","v2.44.0","v2.44.1","v2.44.2","v2.45.0","v2.46.0","v2.47.0","v2.47.1","v2.47.2","v2.47.3","v2.47.4","v2.47.5","v2.47.6","v2.48.0","v2.48.1","v2.48.2","v2.48.3","v2.49.0","v2.49.1","v2.49.2","v2.49.3","v2.5.0","v2.5.1","v2.50.0","v2.50.1","v2.50.2","v2.50.3","v2.50.4","v2.50.5","v2.51.0","v2.51.1","v2.51.2","v2.51.3","v2.51.4","v2.52.0","v2.52.1","v2.53.0","v2.53.1","v2.53.2","v2.53.3","v2.53.4","v2.53.5","v2.53.6","v2.53.7","v2.54.0","v2.54.1","v2.54.2","v2.54.3","v2.54.4","v2.55.0","v2.6.0","v2.7.0","v2.8.0","v2.8.1","v2.8.2","v2.9.0","v2.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39683.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"}]}