Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ZITADEL Cross-Tenant Information Disclosure in Management API
Vulnerability Description
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve management-plane information belonging to other organizations by specifying a different tenant’s project_id, grant_id, or app_id. This vulnerability is fixed in 3.4.8 and 4.12.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
ZITADEL 安全漏洞
Vulnerability Description
ZITADEL是瑞士ZITADEL开源的一个身份和访问管理平台。 ZITADEL 3.4.8之前版本和4.12.2之前版本存在安全漏洞,该漏洞源于Management API存在访问控制问题,可能导致持有低权限令牌的已验证用户通过指定其他租户的ID来检索属于其他组织的管理平面信息。
CVSS Information
N/A
Vulnerability Type
N/A