Strix
26.1K

CVE-2023-22492

MEDIUMCVSS 5.9/10EPSS 0.60%

Last modified

CVE-2023-22492 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. EPSS estimates a 0.60% chance of exploitation in the next 30 days.

Description

ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4.

Metrics

CVSS 3.1
5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
0.60%

44.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ZitadelZitadel>= 2.0.0, < 2.16.4
ZitadelZitadel>= 2.17.0, < 2.17.3

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-22492?
ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). As a workaround, ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements. This issue has been patched in versions 2.17.3 and 2.16.4.
How severe is CVE-2023-22492?
CVE-2023-22492 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 0.60% probability of exploitation in the next 30 days.
How do I fix CVE-2023-22492?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-22492?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST