CVE-2024-49757: Zitadel - User Registration Bypass

id: CVE-2024-49757

info:
  name: Zitadel - User Registration Bypass
  author: Sujal Tuladhar
  severity: high
  description: |
    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.
  reference:
    - https://github.com/zitadel/zitadel/releases/tag/v2.62.7
    - https://nvd.nist.gov/vuln/detail/CVE-2024-49757
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-49757
    cwe-id: CWE-287
    epss-score: 0.03061
    epss-percentile: 0.86221
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"Zitadel"
  tags: cve,cve2024,register,zitadel

http:
  - method: GET
    path:
      - "{{BaseURL}}/ui/login/register"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Registration is not allowed (Internal)"
        negative: true

      - type: word
        part: body
        words:
          - "Enter your Userdata"
          - "zitadel"
        condition: and
        case-insensitive: true

      - type: status
        status:
          - 200
# digest: 4b0a004830460221008ac1c362f9de4dd74604a89c2c4c9843b5cb455956583944e8c5d560629e4f0e022100856917d9a0eeab3c49fc8f44b74988abe1d6b8a54dc2dea15f49bde9c2a5c344:922c64590222798bb761d5b6d8e72950