[GHSA-3rmw-76m6-4gjc] User Registration Bypass in Zitadel

advisories/github-reviewed/2024/10/GHSA-3rmw-76m6-4gjc/GHSA-3rmw-76m6-4gjc.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3rmw-76m6-4gjc",
-  "modified": "2024-10-25T19:30:14Z",
+  "modified": "2024-10-25T19:30:15Z",
   "published": "2024-10-25T19:30:14Z",
   "aliases": [
     "CVE-2024-49757"
   ],
-  "summary": "User Registration Bypass in Zitadel",
-  "details": "### Impact\nZitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.63.4, disabling the \"User Registration allowed\" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way.\n\n### Patches\n\n2.x versions are fixed on >= [2.64.0](https://github.com/zitadel/zitadel/releases/tag/v2.64.0)\n2.63.x versions are fixed on >= [2.63.5](https://github.com/zitadel/zitadel/releases/tag/v2.63.5)\n2.62.x versions are fixed on >= [2.62.7](https://github.com/zitadel/zitadel/releases/tag/v2.62.7)\n2.61.x versions are fixed on >= [2.61.4](https://github.com/zitadel/zitadel/releases/tag/v2.61.4)\n2.60.x versions are fixed on >= [2.60.4](https://github.com/zitadel/zitadel/releases/tag/v2.60.4)\n2.59.x versions are fixed on >= [2.59.5](https://github.com/zitadel/zitadel/releases/tag/v2.59.5)\n2.58.x versions are fixed on >= [2.58.7](https://github.com/zitadel/zitadel/releases/tag/v2.58.7)\n\n### Workarounds\nUpdating to the patched version is the recommended solution.\n\n### Questions\nIf you have any questions or comments about this advisory, please email us at [[email protected]](mailto:[email protected])\n\n### Credits\nThanks to @sevensolutions and @evilgensec for disclosing this!\n",
+  "summary": "Suggested Fix for Zitadel User Registration Bypass Vulnerability",
+  "details": "I want to add on Something too\n\n# Issue\nIn Zitadel versions prior to 2.63.4, disabling the user self-registration feature only hides the registration button on the login page without fully preventing access to the registration URL (/ui/login/loginname). This allows users to bypass the intended restriction.\n\n# Impact\nUnauthorized users can register even when user registration is disabled, leading to potential unauthorized access and increased risk to system security.\n\n# Proposed Solution\n\nBackend Check for User Registration Setting\nModify the backend endpoint handling registration requests (at /ui/login/loginname) to include a validation check that ensures user registration is indeed enabled in the system settings.\n\ngo\n```go\nfunc RegisterUserHandler(w http.ResponseWriter, r *http.Request) {\n    if !settings.IsUserRegistrationAllowed() {\n        http.Error(w, \"User registration is disabled\", http.StatusForbidden)\n        return\n    }\n    // Proceed with registration logic\n}\n```\n\n# Alerts \n\nGroups\n```\ngroups:\n  - name: FailedRegistrationAlert\n    rules:\n      - alert: HighFailedRegistrationAttempts\n        expr: rate(failed_registration_attempts_total[5m]) > 10\n        for: 5m\n        labels:\n          severity: \"critical\"\n        annotations:\n          summary: \"High number of failed registration attempts detected\"\n          description: \"There have been more than 10 failed registration attempts in the last 5 minutes.\"\n```\n\n# Add Audit Logs\n\nInclude logging for any unauthorized registration attempts when registration is disabled. This can help admins monitor suspicious activity.\n\nSummary\n\n- Backend Check: Restricts registration via backend logic.\n- Frontend Feedback: Alerts users and redirects them if registration is disabled.\n- Logging: Logs unauthorized registration attempts.\n- Monitoring Alerts: Sets up Prometheus and Alertmanager to notify admins of repeated attempts.",
   "severity": [
     {
       "type": "CVSS_V3",