Skip to content
Nuclei Templates

Zitadel - User Registration Bypass

ID: CVE-2024-49757

Severity: high

Author: Sujal Tuladhar

Tags: cve,cve2024,register,zitadel

Description

Section titled “Description”

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the “User Registration allowed” option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.

YAML Source

Section titled “YAML Source”
id: CVE-2024-49757


info:
  name: Zitadel - User Registration Bypass
  author: Sujal Tuladhar
  severity: high
  description: |
    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.
  reference:
    - https://github.com/zitadel/zitadel/releases/tag/v2.62.7
    - https://nvd.nist.gov/vuln/detail/CVE-2024-49757
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-49757
    cwe-id: CWE-287
    epss-score: 0.00044
    epss-percentile: 0.14016
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"Zitadel"
  tags: cve,cve2024,register,zitadel


http:
  - method: GET
    path:
      - "{{BaseURL}}/ui/login/register"


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Registration is not allowed (Internal)"
        negative: true


      - type: word
        part: body
        words:
          - "Enter your Userdata"
          - "zitadel"
        condition: and
        case-insensitive: true


      - type: status
        status:
          - 200
# digest: 4a0a0047304502207827a220a87957de30ea0ff5eab189e792757da4bc437b60a74bfd5792f64d23022100e7818221617f50e42c5f00274bdb0d8fcfeaa7647d70bcc58a6773524087f1c2:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-49757.yaml"

View on Github