Impact
Under certain circumstances an action could set reserved claims managed by ZITADEL.
For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name
{"urn:zitadel:iam:user:resourceowner:name": "ACME"}if it was not set by ZITADEL itself.
To compensate for this we introduced a protection that does prevent actions from changing claims that start with urn:zitadel:iam
Patches
2.x versions are fixed on >= 2.48.3
2.47.x versions are fixed on >= 2.47.8
2.46.x versions are fixed on >= 2.46.5
2.45.x versions are fixed on >= 2.45.5
2.44.x versions are fixed on >= 2.44.7
2.43.x versions are fixed on >= 2.43.11
2.42.x versions are fixed on >= 2.42.17
Workarounds
No workaround available since a patch is available
Credits
Many thanks to @schettn whose disclosure of another topic lead us to find this issue.
schettn Finder
fforootd Coordinator
adlerhurst Remediation reviewer
livio-a Remediation developer
Impact
Under certain circumstances an action could set reserved claims managed by ZITADEL.
For example it would be possible to set the claim
urn:zitadel:iam:user:resourceowner:name{"urn:zitadel:iam:user:resourceowner:name": "ACME"}if it was not set by ZITADEL itself.
To compensate for this we introduced a protection that does prevent actions from changing claims that start with
urn:zitadel:iamPatches
2.x versions are fixed on >= 2.48.3
2.47.x versions are fixed on >= 2.47.8
2.46.x versions are fixed on >= 2.46.5
2.45.x versions are fixed on >= 2.45.5
2.44.x versions are fixed on >= 2.44.7
2.43.x versions are fixed on >= 2.43.11
2.42.x versions are fixed on >= 2.42.17
Workarounds
No workaround available since a patch is available
Credits
Many thanks to @schettn whose disclosure of another topic lead us to find this issue.