CVE-2024-49753
📋 TL;DR
This vulnerability in Zitadel identity infrastructure software allows attackers to bypass URL validation restrictions and send requests to localhost (127.0.0.1) by using DNS records that resolve to that address. This could enable unauthorized access to internal endpoints that may contain sensitive information or functionality. All Zitadel users running affected versions are vulnerable.
💻 Affected Systems
- Zitadel
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to unsecured internal endpoints on localhost, potentially accessing sensitive data, administrative functions, or exploiting other local services.
Likely Case
Limited information disclosure from internal endpoints that lack proper authentication, potentially exposing configuration data or internal service information.
If Mitigated
If internal endpoints are properly secured with authentication and network segmentation, impact is limited to failed connection attempts.
🎯 Exploit Status
Requires ability to control DNS resolution and knowledge of internal endpoints. Exploitation depends on what unsecured services are running on localhost.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, or 2.58.7
Vendor Advisory: https://github.com/zitadel/zitadel/releases
Restart Required: Yes
Instructions:
1. Identify your current Zitadel version. 2. Upgrade to the appropriate patched version for your release track. 3. Restart Zitadel services. 4. Verify the fix is applied.
🧯 If You Can't Patch
- Disable Zitadel actions functionality if not required
- Implement network-level restrictions to block outbound connections from Zitadel to localhost
🔍 How to Verify
Check if Vulnerable:
Check Zitadel version against affected versions list. If using affected version and actions feature is enabled, system is vulnerable.Check Version:
Check Zitadel admin interface or deployment configuration for version information.Verify Fix Applied:
Verify Zitadel version is 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, or 2.58.7 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound connection attempts from Zitadel to localhost addresses
- Failed URL validation attempts in action logs
Network Indicators:
- Outbound connections from Zitadel to 127.0.0.1 or localhost
- DNS queries for domains that resolve to localhost
SIEM Query:
source="zitadel" AND (destination_ip="127.0.0.1" OR hostname="localhost")🔗 References
- https://github.com/zitadel/zitadel/releases/tag/v2.58.7
- https://github.com/zitadel/zitadel/releases/tag/v2.59.5
- https://github.com/zitadel/zitadel/releases/tag/v2.60.4
- https://github.com/zitadel/zitadel/releases/tag/v2.61.4
- https://github.com/zitadel/zitadel/releases/tag/v2.62.8
- https://github.com/zitadel/zitadel/releases/tag/v2.63.6
- https://github.com/zitadel/zitadel/releases/tag/v2.64.1
- https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv
