CVE-2023-47111 – This vulnerability allows attackers to bypass Z... (How to Fix)

Q: What is the severity of CVE-2023-47111?

CVE-2023-47111 has a CVSS score of 7.3 (HIGH). This vulnerability allows attackers to bypass ZITADEL's lockout policy by initiating parallel password checks, enabling more password attempts than configured. It affects ZITADEL identity infrastructure administrators who rely on lockout policies to prevent brute-force attacks. The vulnerability has been patched in recent versions.

📋 TL;DR

This vulnerability allows attackers to bypass ZITADEL's lockout policy by initiating parallel password checks, enabling more password attempts than configured. It affects ZITADEL identity infrastructure administrators who rely on lockout policies to prevent brute-force attacks. The vulnerability has been patched in recent versions.

💻 Affected Systems

Products:

ZITADEL

Versions: Versions before 2.40.5 and 2.38.3

Operating Systems: All platforms running ZITADEL

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all ZITADEL deployments using lockout policies regardless of configuration.

📦 What is this software?

Zitadel by Zitadel

View all CVEs affecting Zitadel →

Zitadel by Zitadel

View all CVEs affecting Zitadel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could brute-force user credentials without being locked out, potentially compromising administrative or user accounts.

🟠

Likely Case

Increased risk of successful credential stuffing or brute-force attacks against user accounts.

🟢

If Mitigated

With proper patching, lockout policies function correctly, limiting failed attempts and preventing brute-force attacks.

🌐 Internet-Facing: HIGH - Authentication systems exposed to the internet are primary targets for this bypass.

🏢 Internal Only: MEDIUM - Internal systems still face risk from insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Attackers need to initiate parallel authentication requests.

Exploitation requires ability to send authentication requests but no special privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.40.5 or 2.38.3

Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m

Restart Required: Yes

Instructions:

1. Backup ZITADEL configuration and data. 2. Upgrade to version 2.40.5 (latest) or 2.38.3 (LTS). 3. Restart ZITADEL services. 4. Verify lockout policy functionality.

🔧 Temporary Workarounds

Rate Limit Authentication Endpoints

all

Implement network-level rate limiting on authentication endpoints to restrict parallel requests.

# Use web application firewall or load balancer to limit requests per IP
# Example nginx: limit_req_zone $binary_remote_addr zone=auth:10m rate=10r/s;

🧯 If You Can't Patch

Implement strong password policies and multi-factor authentication to reduce brute-force effectiveness.
Monitor authentication logs for unusual patterns of parallel login attempts from single sources.

🔍 How to Verify

Check if Vulnerable:

Check ZITADEL version. If below 2.40.5 (or 2.38.3 for LTS), system is vulnerable.

Check Version:

zitadel version

Verify Fix Applied:

After patching, test lockout policy by attempting multiple failed logins from parallel sessions.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts from same source within short timeframes
Parallel login attempts exceeding lockout policy thresholds

Network Indicators:

High volume of authentication requests to /oauth/v2/token or similar endpoints
Multiple simultaneous connections from single IPs during authentication

SIEM Query:

source="zitadel" (event="authentication_failed") | stats count by src_ip | where count > [lockout_threshold]

📊 Metadata

CVE ID: CVE-2023-47111

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-362

Published: November 8, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077 Patch
https://github.com/zitadel/zitadel/releases/tag/v2.38.3 Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.40.5 Release Notes
https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m Vendor Advisory
https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077 Patch
https://github.com/zitadel/zitadel/releases/tag/v2.38.3 Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.40.5 Release Notes
https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47111, you might also want to check these: