CVE-2024-41952: 
Chainguard vulnerability analysis and mitigation

CVE-2024-41952 affects Zitadel, an open source identity management system. The vulnerability was discovered and disclosed on July 31, 2024, impacting versions 2.53.0-2.53.8, 2.54.0-2.54.7, 2.55.0-2.55.4, 2.56.0-2.56.1, 2.57.0, and 2.58.0. The issue relates to the 'Ignoring unknown usernames' feature, which is designed to mitigate username enumeration attacks (Vendor Advisory).

The vulnerability stems from an implementation change intended to prevent database deadlocks. When the 'Ignoring unknown usernames' setting is enabled, the system should display a password prompt and return a generic 'Username or Password invalid' message regardless of whether the user exists. However, due to the implementation flaw, the system would incorrectly expose whether an account exists by showing an 'object not found' error message instead of the intended generic response. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Vendor Advisory).

The vulnerability allows attackers to enumerate valid usernames within ZITADEL, effectively bypassing the security measure designed to prevent such enumeration attacks. This information disclosure could be used as a stepping stone for further targeted attacks against known valid users (Vendor Advisory).

The vulnerability has been fixed in versions 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, and 2.53.9. ZITADEL recommends upgrading to these patched versions. No workarounds are available as patches have already been released (Vendor Advisory).