Home > Vulnerability Database > CVE-2023-47111

Mend.io Vulnerability Database

CVE-2023-47111

Date: November 8, 2023

ZITADEL provides identity infrastructure. ZITADEL provides administrators the possibility to define a `Lockout Policy` with a maximum amount of failed password check attempts. On every failed password check, the amount of failed checks is compared against the configured maximum. Exceeding the limit, will lock the user and prevent further authentication. In the affected implementation it was possible for an attacker to start multiple parallel password checks, giving him the possibility to try out more combinations than configured in the `Lockout Policy`. This vulnerability has been patched in versions 2.40.5 and 2.38.3.

Language: Go

Severity Score

7.3

Related Resources (7)

Url: https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m

Url: https://github.com/zitadel/zitadel/releases/tag/v2.40.5

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-47111

Url: https://github.com/zitadel/zitadel/releases/tag/v2.38.3

Url: https://github.com/zitadel/zitadel/commit/22e2d5599918864877e054ebe82fb834a5aa1077

Url: https://github.com/zitadel/zitadel

Url: https://www.mend.io/vulnerability-database/CVE-2023-47111

Severity Score

7.3

Weakness Type (CWE)

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-47111

Date: November 8, 2023

Language: Go

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?