CVE-2024-47060: 
vulnerability analysis and mitigation

CVE-2024-47060 affects Zitadel, an open source identity management platform. The vulnerability was discovered and disclosed on September 19, 2024, impacting multiple versions of Zitadel prior to versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10. The issue allows unauthorized access to projects and their resources even after an organization or project is deactivated (GitHub Advisory).

The vulnerability stems from a design flaw where applications associated with a deactivated organization do not automatically deactivate. The application lifecycle is not properly coupled with the organization's lifecycle, resulting in a situation where even though an organization or project is marked as inactive, its resources remain accessible. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N by NIST, while GitHub assigned it a score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

When exploited, this vulnerability allows unauthorized users to continue accessing projects and their resources through applications that should have been restricted after organization deactivation. Users across other organizations can still log in and access through these applications, leading to potential unauthorized access to sensitive resources (GitHub Advisory).

The vulnerability has been patched in versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10. For users unable to upgrade immediately, a workaround is available where they can explicitly disable the application to ensure the client is not allowed anymore (GitHub Advisory).