x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-22492

[GoVulnBot]

CVE-2023-22492 references github.com/zitadel/zitadel, which may be a Go module.

Description:
ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-22492
• JSON: https://github.com/CVEProject/cvelist/tree/4f01943f8dca614d492a2325d7616dfcddb44299/2023/22xxx/CVE-2023-22492.json
• web: GHSA-6rrr-78xp-5jp8
• fix: zitadel/zitadel@301e22c
• fix: zitadel/zitadel@fc892c5
• Imported by: https://pkg.go.dev/github.com/zitadel/zitadel?tab=importedby

Cross references:

• Module github.com/zitadel/zitadel appears in issue x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2022-36051 #961 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/zitadel/zitadel
    packages:
      - package: zitadel
description: |
    ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4.
cves:
  - CVE-2023-22492
references:
  - web: https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8
  - fix: https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83
  - fix: https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2

[gopherbot]

Change https://go.dev/cl/461640 mentions this issue: data/excluded: batch add excluded reports

[gopherbot]

Change https://go.dev/cl/461643 mentions this issue: data/excluded: batch add GO-2023-1471, GO-2023-1469, GO-2023-1465, GO-2023-1462, GO-2023-1461, GO-2023-1449, GO-2023-1292, GO-2023-1291, GO-2023-1286, GO-2023-1285, GO-2023-1467, GO-2023-1460, GO-2023-1267, GO-2023-1490, GO-2023-1489, GO-2023-1294

[neild]

Duplicate of #1489