← voltar
CVE-2024-32868

ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass

CVSS 6.5 MEDIUMEPSS 0.5%CWE-297CWE-307
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Produtos afetados
zitadel · zitadel

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/zitadel/zitadel/releases/tag/v2.50.0https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239