search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
564 stars 61 forks source link

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-6rrr-78xp-5jp8 #1489

Closed GoVulnBot closed 1 year ago

GoVulnBot commented 1 year ago

In GitHub Security Advisory GHSA-6rrr-78xp-5jp8, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/zitadel/zitadel 2.16.4 >= 2.0.0, < 2.16.4 github.com/zitadel/zitadel 2.17.3 >= 2.17.0, < 2.17.3

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/zitadel/zitadel
    versions:
      - introduced: 2.0.0
        fixed: 2.16.4
    packages:
      - package: github.com/zitadel/zitadel
  - module: github.com/zitadel/zitadel
    versions:
      - introduced: 2.17.0
        fixed: 2.17.3
    packages:
      - package: github.com/zitadel/zitadel
description: |
    ### Impact
    RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI.

    RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant.

    When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration).

    ### Patches
    2.x versions are fixed on >= [2.17.3](https://github.com/zitadel/zitadel/releases/tag/v2.17.3)
    2.16.x versions are fixed on >= [2.16.4](https://github.com/zitadel/zitadel/releases/tag/v2.16.4)

    ZITADEL recommends upgrading to the latest versions available in due course.

    ### Workarounds
    Ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements.

    ### References

    https://zitadel.com/docs/guides/manage/console/instance-settings#oidc-token-lifetimes-and-expiration
cves:
  - CVE-2023-22492
ghsas:
  - GHSA-6rrr-78xp-5jp8
gopherbot commented 1 year ago

Change https://go.dev/cl/461640 mentions this issue: data/excluded: batch add excluded reports

gopherbot commented 1 year ago

Change https://go.dev/cl/461643 mentions this issue: data/excluded: batch add GO-2023-1471, GO-2023-1469, GO-2023-1465, GO-2023-1462, GO-2023-1461, GO-2023-1449, GO-2023-1292, GO-2023-1291, GO-2023-1286, GO-2023-1285, GO-2023-1467, GO-2023-1460, GO-2023-1267, GO-2023-1490, GO-2023-1489, GO-2023-1294

gopherbot commented 5 months ago

Change https://go.dev/cl/592759 mentions this issue: data/reports: unexclude 75 reports