Vulnerability DatabaseCVE-2023-47111

CVE-2023-47111:
Chainguard vulnerability analysis and mitigation

Overview

CVE-2023-47111 affects ZITADEL's lockout policy implementation. The vulnerability was discovered and disclosed on November 8, 2023, affecting ZITADEL versions prior to 2.38.3 and versions between 2.39.0 and 2.40.4. ZITADEL provides identity infrastructure with a lockout policy feature that limits failed password check attempts (GitHub Advisory).

Technical details

The vulnerability is classified as a race condition in the lockout policy execution mechanism. It has a CVSS v3.1 base score of 7.3 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The issue stems from improper handling of multiple parallel password check attempts, which could bypass the configured maximum attempt limit in the lockout policy (GitHub Advisory, NVD).

Impact

The vulnerability allows attackers to attempt more password combinations than what is configured in the lockout policy by initiating multiple parallel password checks. This effectively bypasses the security measure designed to prevent brute force attacks, potentially compromising account security (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in ZITADEL versions 2.38.3 and 2.40.5. Users are advised to upgrade to these patched versions as there are no alternative workarounds available (GitHub Advisory).

Additional resources

Source: This report was generated using AI

Related Chainguard vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-66471	HIGH	8.9	Python	py3-urllib3	No	Yes	Dec 05, 2025
CVE-2025-66418	HIGH	8.9	Python	python-urllib3	No	Yes	Dec 05, 2025
CVE-2025-66506	HIGH	7.5	Podman	golang-github-sigstore-fulcio	No	Yes	Dec 04, 2025
CVE-2025-66490	MEDIUM	6.9	Wolfi	traefik	No	Yes	Dec 09, 2025
CVE-2025-66491	MEDIUM	5.9	Wolfi	github.com/traefik/traefik/v3	No	Yes	Dec 09, 2025