CVE-2023-22492 : Vulnerability Insights and Analysis
Learn about CVE-2023-22492 related to RefreshToken invalidation in ZITADEL, affecting versions >= 2.0.0 and < 2.17.3. Take immediate steps to address this medium severity issue.
This CVE involves a vulnerability related to RefreshToken invalidation in ZITADEL, which is a combination of Auth0 and Keycloak.
Understanding CVE-2023-22492
This vulnerability is classified under the title "Insufficient Session Expiration" with a CVSS base score of 5.9, indicating a medium severity issue.
What is CVE-2023-22492?
The CVE-2023-22492 vulnerability in ZITADEL affected versions >= 2.17.0 and < 2.17.3, as well as versions >= 2.0.0 and < 2.16.4. It allowed locked or deactivated users to obtain a valid access token through a refresh token grant, leading to security risks as the refresh tokens were not invalidated when a user was locked or deactivated.
The Impact of CVE-2023-22492
The improper handling of RefreshTokens in ZITADEL could potentially enable unauthorized access to resources by locked or deactivated users, circumventing security measures designed to restrict their access.
Technical Details of CVE-2023-22492
This vulnerability arises from insufficient session expiration control within the RefreshTokens feature of ZITADEL.
Vulnerability Description
RefreshTokens in ZITADEL were not invalidated for locked or deactivated users, allowing them to obtain valid access tokens improperly.
Affected Systems and Versions
Versions >= 2.17.0 and < 2.17.3, and versions >= 2.0.0 and < 2.16.4 of ZITADEL were impacted by this vulnerability.
Exploitation Mechanism
Locked or deactivated users could exploit this vulnerability by using refresh token grants to obtain valid access tokens, potentially bypassing access restrictions.
Mitigation and Prevention
It is crucial to take immediate steps to address and prevent the CVE-2023-22492 vulnerability in ZITADEL.
Immediate Steps to Take
Ensure that the RefreshTokenExpiration in the OIDC settings of ZITADEL instances is configured according to security requirements to limit the renewal of access tokens through refresh token grants.
Long-Term Security Practices
Regularly review and update security configurations and access control measures to prevent similar vulnerabilities in the future.
Patching and Updates
The issue has been patched in ZITADEL versions 2.17.3 and 2.16.4. It is recommended to update to these patched versions to mitigate the risks associated with CVE-2023-22492.