{"id":"GHSA-gp8g-f42f-95q2","summary":"ZITADEL's actions can overload reserved claims","details":"### Impact\nUnder certain circumstances an action could set [reserved claims](https://zitadel.com/docs/apis/openidoauth/claims#reserved-claims) managed by ZITADEL.\n\nFor example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`\n\n```json\n{\"urn:zitadel:iam:user:resourceowner:name\": \"ACME\"}\n```\n\nif it was not set by ZITADEL itself.\n\nTo compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`\n\n### Patches\n2.x versions are fixed on \u003e= [2.48.3](https://github.com/zitadel/zitadel/releases/tag/v2.48.3)\n2.47.x versions are fixed on \u003e= [2.47.8](https://github.com/zitadel/zitadel/releases/tag/v2.47.8)\n2.46.x versions are fixed on \u003e= [2.46.5](https://github.com/zitadel/zitadel/releases/tag/v2.46.5)\n2.45.x versions are fixed on \u003e= [2.45.5](https://github.com/zitadel/zitadel/releases/tag/v2.45.5)\n2.44.x versions are fixed on \u003e= [2.44.7](https://github.com/zitadel/zitadel/releases/tag/v2.44.7)\n2.43.x versions are fixed on \u003e= [2.43.11](https://github.com/zitadel/zitadel/releases/tag/v2.43.11)\n2.42.x versions are fixed on \u003e= [2.42.17](https://github.com/zitadel/zitadel/releases/tag/v2.42.17)\n\n### Workarounds\nNo workaround available since a patch is available\n\n### Credits\nMany thanks to @schettn whose disclosure of another topic lead us to find this issue.\n","aliases":["CVE-2024-29892","GO-2024-2664"],"modified":"2024-11-18T16:26:38Z","published":"2024-03-28T17:07:32Z","related":["CVE-2024-29892"],"database_specific":{"severity":"HIGH","nvd_published_at":"2024-03-27T20:15:08Z","github_reviewed":true,"github_reviewed_at":"2024-03-28T17:07:32Z","cwe_ids":["CWE-863"]},"references":[{"type":"WEB","url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-gp8g-f42f-95q2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29892"},{"type":"PACKAGE","url":"https://github.com/zitadel/zitadel"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.42.17"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.43.11"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.44.7"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.45.5"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.46.5"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.47.8"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.48.3"}],"affected":[{"package":{"name":"github.com/zitadel/zitadel","ecosystem":"Go","purl":"pkg:golang/github.com/zitadel/zitadel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.42.17"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-gp8g-f42f-95q2/GHSA-gp8g-f42f-95q2.json"}},{"package":{"name":"github.com/zitadel/zitadel","ecosystem":"Go","purl":"pkg:golang/github.com/zitadel/zitadel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.43.0"},{"fixed":"2.43.11"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-gp8g-f42f-95q2/GHSA-gp8g-f42f-95q2.json"}},{"package":{"name":"github.com/zitadel/zitadel","ecosystem":"Go","purl":"pkg:golang/github.com/zitadel/zitadel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.44.0"},{"fixed":"2.44.7"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-gp8g-f42f-95q2/GHSA-gp8g-f42f-95q2.json"}},{"package":{"name":"github.com/zitadel/zitadel","ecosystem":"Go","purl":"pkg:golang/github.com/zitadel/zitadel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.45.0"},{"fixed":"2.45.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-gp8g-f42f-95q2/GHSA-gp8g-f42f-95q2.json"}},{"package":{"name":"github.com/zitadel/zitadel","ecosystem":"Go","purl":"pkg:golang/github.com/zitadel/zitadel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.46.0"},{"fixed":"2.46.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-gp8g-f42f-95q2/GHSA-gp8g-f42f-95q2.json"}},{"package":{"name":"github.com/zitadel/zitadel","ecosystem":"Go","purl":"pkg:golang/github.com/zitadel/zitadel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.47.0"},{"fixed":"2.47.8"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-gp8g-f42f-95q2/GHSA-gp8g-f42f-95q2.json"}},{"package":{"name":"github.com/zitadel/zitadel","ecosystem":"Go","purl":"pkg:golang/github.com/zitadel/zitadel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.48.0"},{"fixed":"2.48.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-gp8g-f42f-95q2/GHSA-gp8g-f42f-95q2.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}