CVE-2023-44399: 
Chainguard vulnerability analysis and mitigation

ZITADEL, an identity infrastructure provider, disclosed a vulnerability (CVE-2023-44399) affecting versions 2.37.2 and prior. The vulnerability was related to the 'Ignoring unknown usernames' security feature, which was not functioning correctly in the password reset flow, despite working properly during authentication. This security issue was discovered and disclosed on October 10, 2023, and has been patched in versions 2.37.3 and 2.38.0 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-640 (Weak Password Recovery Mechanism for Forgotten Password). The issue stems from an implementation flaw where the 'Ignoring unknown usernames' setting, while active during authentication, failed to apply during password reset operations (NVD).

The vulnerability allows an attacker to use the password reset function to verify the existence of user accounts within ZITADEL, even when the 'Ignoring unknown usernames' feature is enabled. This could facilitate user enumeration attacks, potentially compromising the confidentiality of user account information (GitHub Advisory).

The vulnerability has been patched in versions 2.37.3 and 2.38.0. No workarounds are available, and users are advised to upgrade to a patched version if this functionality is needed (GitHub Advisory).