Account Takeover via Session Fixation in Zitadel [Bypassing MFA]

Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim’s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`.

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

特权管理不恰当

ZITADEL 安全漏洞

ZITADEL是瑞士ZITADEL开源的一个 Auth0、Firebase Auth、AWS Cognito 以及为容器和无服务器时代构建的 Keycloak 的现代开源替代方案。 ZITADEL 2.46.0之前、2.45.1之前、2.44.3之前版本存在安全漏洞，该漏洞源于ZITADEL 使用 cookie 来识别用户代理及用户会话，攻击者利用该漏洞可以向用户提供托管在子域上的恶意链接，在某些情况下访问受害者的帐户。

N/A

N/A