x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-jj94-6f5c-65r8

[GoVulnBot]

Advisory GHSA-jj94-6f5c-65r8 references a vulnerability in the following Go modules:

Module
github.com/zitadel/zitadel

Description:

Summary

In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access.
Additionally, if a project was deactivated access to applications was also still possible.

Details

The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, lead...

References:

• ADVISORY: GHSA-jj94-6f5c-65r8
• ADVISORY: GHSA-jj94-6f5c-65r8

Cross references:

• github.com/zitadel/zitadel appears in 15 other report(s):
  • data/excluded/GO-2022-0961.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2022-36051 #961) NOT_IMPORTABLE
  • data/excluded/GO-2023-1489.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-6rrr-78xp-5jp8 #1489) NOT_IMPORTABLE
  • data/excluded/GO-2023-2107.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-44399 #2107) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2155.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-46238 #2155) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2187.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7h8m-vrxx-vr4m #2187) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2368.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-2wmj-46rj-qm2w #2368) NOT_IMPORTABLE
  • data/reports/GO-2024-2637.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-mq4x-r2w3-j7mr #2637)
  • data/reports/GO-2024-2655.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hfrg-4jwr-jfpj #2655)
  • data/reports/GO-2024-2664.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-gp8g-f42f-95q2 #2664)
  • data/reports/GO-2024-2665.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hr5w-cwwq-2v4m #2665)
  • data/reports/GO-2024-2788.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7j7j-66cv-m239 #2788)
  • data/reports/GO-2024-2804.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-32967 #2804)
  • data/reports/GO-2024-2968.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968)
  • data/reports/GO-2024-3014.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41952 #3014)
  • data/reports/GO-2024-3015.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41953 #3015)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      non_go_versions:
        - fixed: 2.54.10
        - introduced: 2.55.0
        - fixed: 2.55.8
        - introduced: 2.56.0
        - fixed: 2.56.6
        - introduced: 2.57.0
        - fixed: 2.57.5
        - introduced: 2.58.0
        - fixed: 2.58.5
        - introduced: 2.59.0
        - fixed: 2.59.3
        - introduced: 2.60.0
        - fixed: 2.60.2
        - introduced: 2.61.0
        - fixed: 2.61.1
        - introduced: 2.62.0
        - fixed: 2.62.1
      vulnerable_at: 1.87.5
summary: ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel
ghsas:
    - GHSA-jj94-6f5c-65r8
references:
    - advisory: https://github.com/advisories/GHSA-jj94-6f5c-65r8
    - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-jj94-6f5c-65r8
source:
    id: GHSA-jj94-6f5c-65r8
    created: 2024-09-19T17:01:25.105842389Z
review_status: UNREVIEWED