CVE-2024-49757: 
Chainguard vulnerability analysis and mitigation

The open-source identity infrastructure software Zitadel contains a security vulnerability (CVE-2024-49757) that allows users to bypass user self-registration restrictions. The vulnerability was discovered and disclosed on October 25, 2024, affecting versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7. The issue stems from a missing security check where disabling the "User Registration allowed" option only hid the registration button on the login page but did not prevent direct access to the registration URL (GitHub Advisory).

The vulnerability is classified as a high severity issue with a CVSS v3.1 base score of 7.5 (HIGH). The attack vector is Network-based (AV:N) with Low attack complexity (AC:L), requiring No privileges (PR:N) and No user interaction (UI:N). The scope is Unchanged (S:U) with High impact on Confidentiality (C:H) but No impact on Integrity (I:N) and Availability (A:N). The vulnerability is tracked as CWE-287 (Improper Authentication) (NVD).

The vulnerability allows unauthorized users to bypass registration restrictions by directly accessing the registration URL (/ui/login/loginname) even when user self-registration is disabled by administrators. This bypass could lead to unauthorized user account creation in environments where registration should be restricted (GitHub Advisory).

The vulnerability has been patched in versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7. The recommended solution is to update to the patched version corresponding to your current version branch. No alternative workarounds are available (GitHub Advisory).