SCA: security update for github.com/zitadel/zitadel (GHSA-hr5w-cwwq-2v4m)

high Tenable Cloud Security Plugin ID 415909

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing
check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in
certain scenarios. A possible victim would need to directly open the supposed image in the browser, where
a session in ZITADEL needs to be active for this exploit to work. The exploit could only be reproduced if
the victim was using Firefox. Chrome, Safari as well as Edge did not execute the code. This vulnerability
is fixed in 2.48.3, 2.47.8, 2.46.5, 2.45.5, 2.44.7, 2.43.11, and 2.42.17. (CVE-2024-29891)

See Also

https://github.com/advisories/GHSA-hr5w-cwwq-2v4m

Plugin Details

Severity: High

ID: 415909

Version: Revision 1.16

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 57.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

CVSS Score Source: CVE-2024-29891

CVSS v3

Risk Factor: High

Base Score: 8.7

Temporal Score: 7.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.3

Threat Score: 5.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/28/2024

Vulnerability Publication Date: 3/27/2024

Reference Information

CVE: CVE-2024-29891