Impact
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email.
While ZITADEL already gives administrators the option to define a Lockout Policy
with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks.
Patches
2.x versions are fixed on >= 2.50.0
Workarounds
There is no workaround since a patch is already available.
References
None
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
Credits
Thanks to Jack Moran and Ethan from zxsecurity and Amit Laish from GE Vernova for finding and reporting the vulnerability.
References
Impact
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email.
While ZITADEL already gives administrators the option to define a
Lockout Policy
with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks.Patches
2.x versions are fixed on >= 2.50.0
Workarounds
There is no workaround since a patch is already available.
References
None
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
Credits
Thanks to Jack Moran and Ethan from zxsecurity and Amit Laish from GE Vernova for finding and reporting the vulnerability.
References