x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49757

Advisory CVE-2024-49757 references a vulnerability in the following Go modules:

Module
github.com/zitadel/zitadel

Description: The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.

References:

Cross references:

github.com/zitadel/zitadel appears in 18 other report(s):
- data/excluded/GO-2022-0961.yaml (https://github.com/golang/vulndb/issues/961) NOT_IMPORTABLE
- data/excluded/GO-2023-1489.yaml (https://github.com/golang/vulndb/issues/1489) NOT_IMPORTABLE
- data/excluded/GO-2023-2107.yaml (https://github.com/golang/vulndb/issues/2107) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2155.yaml (https://github.com/golang/vulndb/issues/2155) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2187.yaml (https://github.com/golang/vulndb/issues/2187) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2368.yaml (https://github.com/golang/vulndb/issues/2368) NOT_IMPORTABLE
- data/reports/GO-2024-2637.yaml (https://github.com/golang/vulndb/issues/2637)
- data/reports/GO-2024-2655.yaml (https://github.com/golang/vulndb/issues/2655)
- data/reports/GO-2024-2664.yaml (https://github.com/golang/vulndb/issues/2664)
- data/reports/GO-2024-2665.yaml (https://github.com/golang/vulndb/issues/2665)
- data/reports/GO-2024-2788.yaml (https://github.com/golang/vulndb/issues/2788)
- data/reports/GO-2024-2804.yaml (https://github.com/golang/vulndb/issues/2804)
- data/reports/GO-2024-2968.yaml (https://github.com/golang/vulndb/issues/2968)
- data/reports/GO-2024-3014.yaml (https://github.com/golang/vulndb/issues/3014)
- data/reports/GO-2024-3015.yaml (https://github.com/golang/vulndb/issues/3015)
- data/reports/GO-2024-3137.yaml (https://github.com/golang/vulndb/issues/3137)
- data/reports/GO-2024-3138.yaml (https://github.com/golang/vulndb/issues/3138)
- data/reports/GO-2024-3139.yaml (https://github.com/golang/vulndb/issues/3139)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      vulnerable_at: 1.87.5
summary: CVE-2024-49757 in github.com/zitadel/zitadel
cves:
    - CVE-2024-49757
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-49757
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.58.7
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.59.5
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.60.4
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.61.4
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.62.7
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.63.5
    - web: https://github.com/zitadel/zitadel/releases/tag/v2.64.0
    - web: https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc
source:
    id: CVE-2024-49757
    created: 2024-10-25T16:01:19.114752708Z
review_status: UNREVIEWED

golang / vulndb

x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49757 #3217