{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-39683","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2024-06-27T18:44:13.034Z","datePublished":"2024-07-03T19:20:08.880Z","dateUpdated":"2024-08-02T04:26:15.915Z"},"containers":{"cna":{"title":"ZITADEL Vulnerable to Session Information Leakage","problemTypes":[{"descriptions":[{"cweId":"CWE-200","lang":"en","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397","tags":["x_refsource_CONFIRM"],"url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397"},{"name":"https://github.com/zitadel/zitadel/issues/8213","tags":["x_refsource_MISC"],"url":"https://github.com/zitadel/zitadel/issues/8213"},{"name":"https://github.com/zitadel/zitadel/pull/8231","tags":["x_refsource_MISC"],"url":"https://github.com/zitadel/zitadel/pull/8231"},{"name":"https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04","tags":["x_refsource_MISC"],"url":"https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04"},{"name":"https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da","tags":["x_refsource_MISC"],"url":"https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da"},{"name":"https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73","tags":["x_refsource_MISC"],"url":"https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73"},{"name":"https://discord.com/channels/927474939156643850/1254096852937347153","tags":["x_refsource_MISC"],"url":"https://discord.com/channels/927474939156643850/1254096852937347153"},{"name":"https://github.com/zitadel/zitadel/releases/tag/v2.53.8","tags":["x_refsource_MISC"],"url":"https://github.com/zitadel/zitadel/releases/tag/v2.53.8"},{"name":"https://github.com/zitadel/zitadel/releases/tag/v2.54.5","tags":["x_refsource_MISC"],"url":"https://github.com/zitadel/zitadel/releases/tag/v2.54.5"},{"name":"https://github.com/zitadel/zitadel/releases/tag/v2.55.1","tags":["x_refsource_MISC"],"url":"https://github.com/zitadel/zitadel/releases/tag/v2.55.1"}],"affected":[{"vendor":"zitadel","product":"zitadel","versions":[{"version":"= 2.55.0","status":"affected"},{"version":">= 2.54.0, < 2.54.5","status":"affected"},{"version":">= 2.53.0, < 2.53.8","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-07-03T19:20:08.880Z"},"descriptions":[{"lang":"en","value":"ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available."}],"source":{"advisory":"GHSA-cvw9-c57h-3397","discovery":"UNKNOWN"}},"adp":[{"affected":[{"vendor":"zitadel","product":"zitadel","cpes":["cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"2.54.0","status":"affected","lessThan":"2.54.5","versionType":"custom"},{"version":"2.55.0","status":"affected"},{"version":"2.53.0","status":"affected","lessThan":"2.53.8","versionType":"custom"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-07-05T18:26:22.872833Z","id":"CVE-2024-39683","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-08T16:54:43.254Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T04:26:15.915Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-cvw9-c57h-3397"},{"name":"https://github.com/zitadel/zitadel/issues/8213","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/zitadel/zitadel/issues/8213"},{"name":"https://github.com/zitadel/zitadel/pull/8231","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/zitadel/zitadel/pull/8231"},{"name":"https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/zitadel/zitadel/commit/4a262e42abac2208b02fefaf68ba1a5121649f04"},{"name":"https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/zitadel/zitadel/commit/c2093ce01507ca8fc811609ff5d391693360c3da"},{"name":"https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/zitadel/zitadel/commit/d04f208486a418a45b884b9ca8433e5ad9790d73"},{"name":"https://discord.com/channels/927474939156643850/1254096852937347153","tags":["x_refsource_MISC","x_transferred"],"url":"https://discord.com/channels/927474939156643850/1254096852937347153"},{"name":"https://github.com/zitadel/zitadel/releases/tag/v2.53.8","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/zitadel/zitadel/releases/tag/v2.53.8"},{"name":"https://github.com/zitadel/zitadel/releases/tag/v2.54.5","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/zitadel/zitadel/releases/tag/v2.54.5"},{"name":"https://github.com/zitadel/zitadel/releases/tag/v2.55.1","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/zitadel/zitadel/releases/tag/v2.55.1"}]}]}}