CVE-2024-49757 Information
Description
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0 2.63.5 2.62.7 2.61.4 2.60.4 2.59.5 and 2.58.7 disabling the �ser Registration allowed\ option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0 2.63.5 2.62.7 2.61.4 2.60.4 2.59.5 and 2.58.7 contain a patch. No known workarounds are available.
Reference
https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc https://github.com/zitadel/zitadel/releases/tag/v2.58.7 https://github.com/zitadel/zitadel/releases/tag/v2.59.5 https://github.com/zitadel/zitadel/releases/tag/v2.60.4 https://github.com/zitadel/zitadel/releases/tag/v2.61.4 https://github.com/zitadel/zitadel/releases/tag/v2.62.7 https://github.com/zitadel/zitadel/releases/tag/v2.63.5 https://github.com/zitadel/zitadel/releases/tag/v2.64.0
Share on: