First published: Thu Mar 28 2024(Updated: )
### Impact Under certain circumstances an action could set [reserved claims](https://zitadel.com/docs/apis/openidoauth/claims#reserved-claims) managed by ZITADEL. For example it would be possible to set the claim `urn:zitadel:iam:user:resourceowner:name` ```json {"urn:zitadel:iam:user:resourceowner:name": "ACME"} ``` if it was not set by ZITADEL itself. To compensate for this we introduced a protection that does prevent actions from changing claims that start with `urn:zitadel:iam` ### Patches 2.x versions are fixed on >= [2.48.3](https://github.com/zitadel/zitadel/releases/tag/v2.48.3) 2.47.x versions are fixed on >= [2.47.8](https://github.com/zitadel/zitadel/releases/tag/v2.47.8) 2.46.x versions are fixed on >= [2.46.5](https://github.com/zitadel/zitadel/releases/tag/v2.46.5) 2.45.x versions are fixed on >= [2.45.5](https://github.com/zitadel/zitadel/releases/tag/v2.45.5) 2.44.x versions are fixed on >= [2.44.7](https://github.com/zitadel/zitadel/releases/tag/v2.44.7) 2.43.x versions are fixed on >= [2.43.11](https://github.com/zitadel/zitadel/releases/tag/v2.43.11) 2.42.x versions are fixed on >= [2.42.17](https://github.com/zitadel/zitadel/releases/tag/v2.42.17) ### Workarounds No workaround available since a patch is available ### Credits Many thanks to @schettn whose disclosure of another topic lead us to find this issue.
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/zitadel/zitadel | >=2.48.0<2.48.3 | 2.48.3 |
go/github.com/zitadel/zitadel | >=2.47.0<2.47.8 | 2.47.8 |
go/github.com/zitadel/zitadel | >=2.46.0<2.46.5 | 2.46.5 |
go/github.com/zitadel/zitadel | >=2.45.0<2.45.5 | 2.45.5 |
go/github.com/zitadel/zitadel | >=2.44.0<2.44.7 | 2.44.7 |
go/github.com/zitadel/zitadel | >=2.43.0<2.43.11 | 2.43.11 |
go/github.com/zitadel/zitadel | <2.42.17 | 2.42.17 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.