{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-49097", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-21T18:57:30.430Z", "datePublished": "2023-11-30T04:45:49.675Z", "dateUpdated": "2023-11-30T04:45:49.675Z"}, "containers": {"cna": {"title": "ZITADEL vulnerable account takeover via malicious host header injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-640", "lang": "en", "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"}], "affected": [{"vendor": "zitadel", "product": "zitadel", "versions": [{"version": ">= 2.39.0, < 2.39.9", "status": "affected"}, {"version": ">= 2.40.0, < 2.40.10", "status": "affected"}, {"version": ">= 2.41.0, < 2.41.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-30T04:45:49.675Z"}, "descriptions": [{"lang": "en", "value": "ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.\n"}], "source": {"advisory": "GHSA-2wmj-46rj-qm2w", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B217DCB5-07BA-4BA3-97A2-91397DAA878D", "versionEndExcluding": "2.39.9", "versionStartIncluding": "2.39.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "75A6467A-C432-4810-A2D9-FBED9090ED67", "versionEndExcluding": "2.40.10", "versionStartIncluding": "2.40.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A14C74C2-0A2A-4F71-86D6-7CFE7911D6EB", "versionEndExcluding": "2.41.6", "versionStartIncluding": "2.41.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.\n"}, {"lang": "es", "value": "ZITADEL es un sistema de infraestructura de identidad. ZITADEL utiliza el encabezado de solicitudes de activaci\u00f3n de notificaciones Forwarded o X-Forwarded-Host para crear el enlace del bot\u00f3n enviado en los correos electr\u00f3nicos para confirmar un restablecimiento de contrase\u00f1a con el c\u00f3digo enviado por correo electr\u00f3nico. Si este encabezado se sobrescribe y un usuario hace clic en el enlace a un sitio malicioso en el correo electr\u00f3nico, el c\u00f3digo secreto se puede recuperar y utilizar para restablecer la contrase\u00f1a del usuario y hacerse cargo de su cuenta. Este ataque no puede apoderarse de las cuentas con MFA o sin contrase\u00f1a habilitadas. Este problema se solucion\u00f3 en las versiones 2.41.6, 2.40.10 y 2.39.9."}], "id": "CVE-2023-49097", "lastModified": "2023-12-08T15:18:19.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-30T05:15:09.503", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-640"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}