CVE-2023-49097: 
Chainguard vulnerability analysis and mitigation

ZITADEL, an identity infrastructure system, was found to contain a vulnerability (CVE-2023-49097) that could lead to account takeover. The vulnerability was discovered in versions prior to 2.41.6, 2.40.10, and 2.39.9, and was introduced with version 2.39.0. The issue was disclosed on November 29, 2023 (GitHub Advisory).

The vulnerability stems from ZITADEL's handling of Forwarded or X-Forwarded-Host headers in notification triggering requests. These headers are used to build button links sent in password reset confirmation emails. The system's CVSS score is 8.8 HIGH with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H according to NVD assessment (NVD).

If an attacker successfully exploits this vulnerability by overwriting the header and getting a user to click the malicious link in the email, they can retrieve the secret code and use it to reset the user's password, ultimately taking over their account. However, accounts with MFA or Passwordless authentication enabled are not vulnerable to this attack (GitHub Advisory).

The vulnerability has been patched in versions 2.41.6, 2.40.10, and 2.39.9. The fix verifies that the auth requests instance is retrieved by the request's original domain. For self-hosted environments, a workaround is available by configuring the ZITADEL fronting proxy to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL (GitHub Advisory).