CVE-2024-29892

MEDIUM Year: 2024
CVSS v3 Score
4.9
Medium
Weakness Type
CWE-863
View all →

Vulnerability Description

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name`. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam`. This vulnerability is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17.

Related Vulnerabilities

CVE-2017-6816

MEDIUM
CVSS:4.9(Medium)

In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.

CWE-8632017

CVE-2020-15120

MEDIUM
CVSS:4.9(Medium)

In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be fur...

CWE-8632020

CVE-2020-26028

MEDIUM
CVSS:4.9(Medium)

An issue was discovered in Zammad before 3.4.1. Admin Users without a ticket.* permission can access Tickets.

CWE-8632020

CVE-2021-22186

MEDIUM
CVSS:4.9(Medium)

An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners

CWE-8632021

CVE-2021-22535

MEDIUM
CVSS:4.9(Medium)

Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product, affecting all DRA versions prior to 10.1 Patch 1. The vulnerability could ...

CWE-8632021

CVE-2021-29158

MEDIUM
CVSS:4.9(Medium)

Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control.

CWE-8632021