CVE-2024-47060
📋 TL;DR
This vulnerability in Zitadel identity management platform allows unauthorized access to applications and projects even after their parent organization or project has been deactivated. Users from other organizations can still authenticate and access resources that should be restricted. All Zitadel deployments using affected versions are impacted.
💻 Affected Systems
- Zitadel
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users gain persistent access to sensitive applications and data that should have been deactivated, potentially leading to data breaches or privilege escalation.
Likely Case
Former employees or users from other organizations maintain unintended access to applications and resources after organizational changes.
If Mitigated
Proper access controls and monitoring detect unauthorized access attempts, limiting exposure time.
🎯 Exploit Status
Exploitation requires valid user credentials from another organization, but the vulnerability is straightforward to exploit once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, or 2.54.10
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8
Restart Required: Yes
Instructions:
1. Backup your Zitadel configuration and data. 2. Stop Zitadel service. 3. Upgrade to one of the patched versions. 4. Restart Zitadel service. 5. Verify applications are properly deactivated when organizations are deactivated.
🔧 Temporary Workarounds
Manual Application Deactivation
allExplicitly disable applications associated with deactivated organizations or projects
🧯 If You Can't Patch
- Manually review and disable all applications associated with deactivated organizations and projects
- Implement additional network segmentation and access controls to limit exposure of affected applications
🔍 How to Verify
Check if Vulnerable:
Check if users from other organizations can access applications belonging to deactivated organizations or projectsCheck Version:
zitadel version or check Zitadel admin interface for version informationVerify Fix Applied:
After patching, verify that deactivating an organization automatically deactivates all associated applications and prevents access📡 Detection & Monitoring
Log Indicators:
- Authentication attempts to applications belonging to deactivated organizations
- Access logs showing users from other organizations accessing restricted applications
Network Indicators:
- Unexpected authentication traffic to applications that should be inactive
SIEM Query:
source="zitadel" AND (event_type="authentication" OR event_type="access") AND (org_status="deactivated" OR project_status="deactivated")