x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-f3gh-529w-v32x #3499

GoVulnBot · 2025-03-04T17:01:36Z

Advisory GHSA-f3gh-529w-v32x references a vulnerability in the following Go modules:

Module
github.com/zitadel/zitadel

Description:

Summary

ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, we still strongly recommend upgrading to the patched version to address all identified issues.

Description

ZITADEL's Admin API, intended for managing Z...

References:

Cross references:

github.com/zitadel/zitadel appears in 20 other report(s):
- data/excluded/GO-2022-0961.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2022-36051 #961) NOT_IMPORTABLE
- data/excluded/GO-2023-1489.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-6rrr-78xp-5jp8 #1489) NOT_IMPORTABLE
- data/excluded/GO-2023-2107.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-44399 #2107) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2155.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-46238 #2155) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2187.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7h8m-vrxx-vr4m #2187) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2368.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-2wmj-46rj-qm2w #2368) NOT_IMPORTABLE
- data/reports/GO-2024-2637.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-mq4x-r2w3-j7mr #2637)
- data/reports/GO-2024-2655.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hfrg-4jwr-jfpj #2655)
- data/reports/GO-2024-2664.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-gp8g-f42f-95q2 #2664)
- data/reports/GO-2024-2665.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hr5w-cwwq-2v4m #2665)
- data/reports/GO-2024-2788.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7j7j-66cv-m239 #2788)
- data/reports/GO-2024-2804.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-32967 #2804)
- data/reports/GO-2024-2968.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968)
- data/reports/GO-2024-3014.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41952 #3014)
- data/reports/GO-2024-3015.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41953 #3015)
- data/reports/GO-2024-3137.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-2w5j-qfvw-2hf5 #3137)
- data/reports/GO-2024-3138.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-jj94-6f5c-65r8 #3138)
- data/reports/GO-2024-3139.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-qr2h-7pwm-h393 #3139)
- data/reports/GO-2024-3216.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49753 #3216)
- data/reports/GO-2024-3217.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49757 #3217)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      non_go_versions:
        - fixed: 2.63.8
        - introduced: 2.64.0
        - fixed: 2.64.5
        - introduced: 2.65.0
        - fixed: 2.65.6
        - introduced: 2.66.0
        - fixed: 2.66.11
        - introduced: 2.67.0
        - fixed: 2.67.8
        - introduced: 2.68.0
        - fixed: 2.68.4
        - introduced: 2.69.0
        - fixed: 2.69.4
        - introduced: 2.70.0
        - fixed: 2.70.1
      vulnerable_at: 1.87.5
summary: |-
    IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP
    Configurations in github.com/zitadel/zitadel
cves:
    - CVE-2025-27507
ghsas:
    - GHSA-f3gh-529w-v32x
references:
    - advisory: https://github.com/advisories/GHSA-f3gh-529w-v32x
    - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.63.8
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.64.5
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.65.6
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.66.11
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.67.8
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.68.4
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.69.4
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.70.1
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.71.0
source:
    id: GHSA-f3gh-529w-v32x
    created: 2025-03-04T17:01:35.8786897Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-03-05T16:18:06Z

Change https://go.dev/cl/655095 mentions this issue: data/reports: add 4 reports

GoVulnBot added the NeedsTriage label Mar 4, 2025

thatnealpatel mentioned this issue Mar 5, 2025

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2025-27507 #3501

Closed

thatnealpatel added triaged and removed NeedsTriage labels Mar 5, 2025

thatnealpatel self-assigned this Mar 10, 2025

gopherbot closed this as completed in d3be009 Mar 10, 2025

This was referenced May 6, 2025

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-g4r8-mp7g-85fq #3668

Closed

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2025-46815 #3671

Closed

GoVulnBot mentioned this issue May 28, 2025

x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-93m4-mfpg-c3xf #3721

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-f3gh-529w-v32x #3499

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-f3gh-529w-v32x #3499

GoVulnBot commented Mar 4, 2025

gopherbot commented Mar 5, 2025

Uh oh!

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-f3gh-529w-v32x #3499

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-f3gh-529w-v32x #3499

Comments

GoVulnBot commented Mar 4, 2025

Summary

Description

gopherbot commented Mar 5, 2025

Uh oh!