Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-47111 #2325

Closed
GoVulnBot opened this issue Nov 8, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-47111 #2325

GoVulnBot opened this issue Nov 8, 2023 · 2 comments
Assignees
@zpavlinovic

Comments

@GoVulnBot
Copy link

CVE-2023-47111 references github.com/zitadel/zitadel, which may be a Go module.

Description:
ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a Lockout Policy with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum. Exceeding the limit, will lock the user and prevent further authentication. In the affected implementation it was possible for an attacker to start multiple parallel password checks, giving him the possibility to try out more combinations than configured in the Lockout Policy. This vulnerability has been patched in versions 2.40.5 and 2.38.3.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/zitadel/zitadel
      vulnerable_at: 1.87.5
      packages:
        - package: zitadel
cves:
    - CVE-2023-47111
references:
    - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m
    - fix: https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.38.3
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.40.5
@zpavlinovic zpavlinovic self-assigned this Nov 10, 2023
@zpavlinovic zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Nov 10, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/541356 mentions this issue: data/excluded: batch add 5 excluded reports

@zpavlinovic zpavlinovic removed the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Nov 10, 2023
@zpavlinovic
Copy link
Contributor

Duplicate of #2188

@zpavlinovic zpavlinovic marked this as a duplicate of #2188 Nov 10, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@zpavlinovic zpavlinovic

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot