chore(deps): update dependency zitadel/zitadel to v2.55.2

uniget-bot commented 3 months ago

This PR contains the following updates:

Package	Update	Change
zitadel/zitadel	patch	`2.55.1` -> `2.55.2`

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

zitadel/zitadel (zitadel/zitadel)

### [`v2.55.2`](https://togithub.com/zitadel/zitadel/releases/tag/v2.55.2) [Compare Source](https://togithub.com/zitadel/zitadel/compare/v2.55.1...v2.55.2) ##### Bug Fixes - multiple nil pointers ([7f6ecca](https://togithub.com/zitadel/zitadel/commit/7f6ecca0400ca597606b4383c847ae03b311be61))

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

github-actions[bot] commented 3 months ago

:mag: Vulnerabilities of `ghcr.io/uniget-org/tools/zitadel:2.55.2`

:package: Image Reference ghcr.io/uniget-org/tools/zitadel:2.55.2

digest	`sha256:1620e351d1943e08039c1a0b2c3053fd5bcee0939c50c9272e1dbb14e60c7fcf`
vulnerabilities
platform	linux/amd64
size	38 MB
packages	181

github.com/zitadel/zitadel 2.55.2 (golang)

pkg:golang/github.com/zitadel/zitadel@2.55.2

Affected range	`>=0`
Fixed version	Not Fixed

Description

ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel

Affected range	`>=0`
Fixed version	Not Fixed

Description

Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel

Affected range	`>=0`
Fixed version	Not Fixed

Description

ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel

Affected range	`>=0`
Fixed version	Not Fixed

Description

ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel

Affected range	`>=0`
Fixed version	Not Fixed

Description

Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel

github.com/gorilla/schema 1.3.0 (golang)

pkg:golang/github.com/gorilla/schema@1.3.0

Allocation of Resources Without Limits or Throttling

Affected range	`<1.4.1`
Fixed version	`1.4.1`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

Description

### Details Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. For instance, in the Proof of Concept written below, someone can specify to set a field of the billionth element and it will allocate all other elements before it in the slice. In the local environment environment for my project, I was able to call an endpoint like `/innocent_endpoint?arr.10000000.X=1` and freeze my system from the memory allocation while parsing `r.Form`. I think [this line](https://github.com/gorilla/schema/blob/main/decoder.go#L223) is responsible for allocating the slice, although I haven't tested to make sure, so it's just an educated guess. ### Proof of Concept The following proof of concept works on both v1.2.0 and v1.2.1. I have not tested earlier versions. ```go package main import ( "fmt" "github.com/gorilla/schema" ) func main() { dec := schema.NewDecoder() var result struct { Arr []struct{ Val int } } if err := dec.Decode(&result, map[string][]string{"arr.1000000000.Val": {"1"}}); err != nil { panic(err) } fmt.Printf("%#+v\n", result) } ``` ### Impact Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. There seems to be no possible solution that a developer using this library can do to disable this behaviour without fixing it in this project, so all uses of Decode that fall under this umbrella are affected. A fix that doesn't require a major change may also be harder to find, since it could break compatibility with some other intended use-cases.

stdlib 1.22.4 (golang)

pkg:golang/stdlib@1.22.4

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

github-actions[bot] commented 3 months ago

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9797582506.

github-actions[bot] commented 3 months ago

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9797582506.

uniget-org / tools