CVE-2024-32868

ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.50.0.

### Impact ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. ### Patches 2.x versions are fixed on >= [2.50.0](https://github.com/zitadel/zitadel/releases/tag/v2.50.0) ### Workarounds There is no workaround since a patch is already available. ### References None ### Questions If you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com) ### Credits Thanks to Jack Moran from Layer 9 Information Security, Ethan from zxsecurity and Amit Laish from GE Vernova for finding and reporting the vulnerability.

ZITADEL ofrece a los usuarios la posibilidad de utilizar contraseñas de un solo uso (TOTP) y contraseñas de un solo uso (OTP) a través de SMS y correo electrónico. Si bien ZITADEL ya ofrece a los administradores la opción de definir una "Política de bloqueo" con una cantidad máxima de intentos fallidos de verificación de contraseña, no existía tal mecanismo para las comprobaciones (T)OTP. Este problema se solucionó en la versión 2.50.0.