ZITADEL Session API IdP Intent Token Reuse Vulnerability

A vulnerability in ZITADEL's identity infrastructure software allows for the reuse of identity provider (IdP) intent tokens in the Session API. This issue is present in ZITADEL versions prior to 3.0.0, 2.71.9, and 2.70.10. The vulnerability arises from the ability to repeatedly use IdP intents, which can be exploited by an attacker with access to the application's URI. By doing so, the attacker can retrieve the id and token associated with the intent, enabling authentication on behalf of the user. However, it's important to note that multi-factor authentication (MFA) can block this process and prevent access to the ZITADEL API.

Impact

Exploitation of this vulnerability allows for unauthorized authentication on behalf of users, potentially leading to unauthorized access to user sessions and associated resources within the ZITADEL platform.

Reproduction

The vulnerability can be reproduced by initiating an IdP intent through the ZITADEL Session API. After a successful intent, the received id and token can be reused to authenticate the user or their session. This process can be automated to repeatedly use the same intent, taking advantage of the lack of token expiration in versions prior to the patch.

Remediation

Users are advised to update ZITADEL to version 3.0.0, 2.71.9, or 2.70.10, all of which include the necessary fix.