jba
commented
1 year ago This is a real vuln with a fix in Go code. But tagging is off: the fix is in v2, but the module path does not end in v2. Running
go get github.com/zitadel/zitadel@v2.37.3 fails.
Closed GoVulnBot closed 1 year ago
jba
commented
1 year ago This is a real vuln with a fix in Go code. But tagging is off: the fix is in v2, but the module path does not end in v2. Running
go get github.com/zitadel/zitadel@v2.37.3 fails.
gopherbot
commented
1 year ago Change https://go.dev/cl/535696 mentions this issue: data/excluded: batch add 5 excluded reports
gopherbot
commented
5 months ago Change https://go.dev/cl/592763 mentions this issue: data/reports: unexclude 75 reports
CVE-2023-44399 references github.com/zitadel/zitadel, which may be a Go module.
Description: ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.
References:
Cross references:
See doc/triage.md for instructions on how to triage this report.