CVE-2024-46999: 
Chainguard vulnerability analysis and mitigation

CVE-2024-46999 affects Zitadel, an open source identity management platform. The vulnerability was discovered in the user grants deactivation mechanism, which was found to be functioning incorrectly. The issue was disclosed on September 19, 2024, affecting multiple versions of Zitadel including versions prior to 2.54.10, 2.55.8, 2.56.6, 2.57.5, 2.58.5, 2.59.3, 2.60.2, 2.61.1, and 2.62.1 (NVD).

The vulnerability stems from a malfunction in ZITADEL's user grants deactivation mechanism where deactivated user grants continued to be provided in tokens. Additionally, the management and auth API would either return the state as active or provide no information about the state. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, indicating network vector attack possibility with low attack complexity (GitHub Advisory).

The vulnerability could lead to unauthorized access to applications and resources, as deactivated user grants remained active in tokens. This could potentially allow users to retain access to systems and data even after their access should have been revoked (GitHub Advisory).

Multiple patched versions have been released to address this vulnerability: 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10. For users unable to upgrade immediately, a workaround is available by explicitly removing user grants to ensure users do not retain access (GitHub Advisory).