CVE-2022-36051 : ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**,

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update.

Published 2022-08-31 23:15:08

Updated 2022-09-09 15:12:45

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-36051

Zitadel » Zitadel
Versions from including (>=) 1.42.0 and before (<) 1.87.1
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
Matching versions
Zitadel » Zitadel
Versions from including (>=) 2.0.0 and before (<) 2.2.0
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-36051

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 25 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-36051

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.7	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N	2.3	5.8	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2022-36051

CWE-436 Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Assigned by: security-advisories@github.com (Secondary)
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-36051

https://github.com/zitadel/zitadel/releases/tag/v2.2.0

Release v2.2.0 · zitadel/zitadel · GitHub
Patch;Release Notes;Third Party Advisory
https://github.com/zitadel/zitadel/releases/tag/v1.87.1

Release v1.87.1 · zitadel/zitadel · GitHub
Third Party Advisory
https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c

Broken Authorization in ZITADEL Actions · Advisory · zitadel/zitadel · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-36051

Products affected by CVE-2022-36051

Exploit prediction scoring system (EPSS) score for CVE-2022-36051

CVSS scores for CVE-2022-36051

CWE ids for CVE-2022-36051

References for CVE-2022-36051