You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"summary": "ZITADEL's truncated opaque tokens are still valid",
10
+
"details": "### Summary\n\nOpaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid. \n\nZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different versions of token payloads. v1 tokens are no longer created, but are still verified as to not invalidate existing session after upgrade.\n\nThe cleartext payload has a format of `<token_id>:<user_id>`. v2 tokens distinguished further where the `token_id` is of the format `v2_<oidc_session_id>-at_<access_token_id>`. This is an example of such a cleartext: `V2_354201447279099906-at_354201447279165442:354201364702363650`\n\n### Impact\n\nV1 token authZ/N session data is retrieved from the database using the (simple) `token_id` value and `user_id` value. The `user_id` (called `subject` in some parts of our code) was used as being the trusted user ID.\n\nV2 token authZ/N session data is retrieved from the database using the `oidc_session_id` and `access_token_id` and in this case the `user_id` from the token is ignored and taken from the session data in the database.\n\nBy truncating the token to 80 chars, the user_id is now missing from the cleartext of the v2 token: `V2_354201447279099906-at_354201447279165442:` The back-end still accepts this for above reasons.\n\nThis issue is not considered exploitable, but may look awkward when reproduced.\n\n### Affected Versions\n\nAll versions within the following ranges, including release candidates (RCs), are affected:\n- **v4.x**: `4.0.0` through `4.10.1`\n- **3.x**: `3.0.0` through `3.4.6`\n- **2.x**: `2.31.0` through `2.71.19`\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases. The patch resolves the issue by verifying the `user_id` from the token against the session data from the database\n\n4.x: Upgrade to >=[4.11.0](https://github.com/zitadel/zitadel/releases/tag/v4.11.0)\n3.x: Update to >=[3.4.7](https://github.com/zitadel/zitadel/releases/tag/v3.4.7)\n2.x: Update to >=[3.4.7](https://github.com/zitadel/zitadel/releases/tag/v3.4.7)\n\n### Workarounds\n\nThe recommended solution is to update ZITADEL to a patched version.\n\n### Questions\n\nIf there any questions or comments about this advisory, please send an email to [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nZITADEL thanks Olivier Becker and Lucas Dodgson for reporting this vulnerability.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments