{"id":"GHSA-c8fj-4pm8-mp2c","summary":"Broken Authorization in ZITADEL Actions","details":"### Impact\n\n**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role `ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login.\n**Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically.\nDue to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organisations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability.\n\n### Patches\n\n2.x versions are fixed on \u003e= [2.2.0](https://github.com/zitadel/zitadel/releases/tag/v2.2.0)\n1.x versions are fixed on \u003e= [1.87.1](https://github.com/zitadel/zitadel/releases/tag/v1.87.1)\n\nZITADEL recommends upgrading to the latest versions available in due course.\n\n### Workarounds\n\nThere is no workaround since a patch is already available.\n\n### Who did disclose this\n\nDuring our recurring white box penetration test our external security consultant found this issue.\nThe full report will be made public after the complete review.\n\n### References\n\nhttps://docs.zitadel.com/docs/guides/manage/customize/behavior\nhttps://docs.zitadel.com/docs/apis/actions\nhttps://zitadel.com/blog/pentest-results-h1-2021\n\n### Questions\n\nIf you have any questions or comments about this advisory:\n* Email us at [security@zitadel.com](mailto:security@zitadel.com)\n","aliases":["CVE-2022-36051"],"modified":"2023-11-08T04:09:58.908743Z","published":"2022-08-30T20:54:28Z","database_specific":{"github_reviewed_at":"2022-08-30T20:54:28Z","severity":"HIGH","nvd_published_at":"2022-08-31T23:15:00Z","cwe_ids":["CWE-436","CWE-863"],"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36051"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/pull/4237"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/pull/4238"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v1.87.1"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.2.0"},{"type":"PACKAGE","url":"github.com/zitadel/zitadel"}],"affected":[{"package":{"name":"github.com/zitadel/zitadel","ecosystem":"Go","purl":"pkg:golang/github.com/zitadel/zitadel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.0.0"},{"fixed":"2.2.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-c8fj-4pm8-mp2c/GHSA-c8fj-4pm8-mp2c.json"}},{"package":{"name":"github.com/zitadel/zitadel","ecosystem":"Go","purl":"pkg:golang/github.com/zitadel/zitadel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.42.0"},{"fixed":"1.87.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-c8fj-4pm8-mp2c/GHSA-c8fj-4pm8-mp2c.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"}]}