How severe is CVE-2022-36051?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2022-36051?

This is classified as CWE-436, which is a common weakness in software security.

CVE-2022-36051 - HIGH Severity | CVSS 8.8

Vulnerability Description

ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update.

Related Vulnerabilities

CVE-2018-19966

HIGH

CVSS:8.8(High)

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for ...

CWE-4362018

CVE-2018-6560

HIGH

CVSS:8.8(High)

In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in th...

CWE-4362018

CVE-2021-28474

HIGH

CVSS:8.8(High)

Microsoft SharePoint Server Remote Code Execution Vulnerability

CWE-4362021

CVE-2019-18792

CRITICAL

CVSS:9.1(Critical)

An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the P...

CWE-4362019

CVE-2024-38428

CRITICAL

CVSS:9.1(Critical)

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent...

CWE-4362024

CVE-2019-19589

CRITICAL

CVSS:9.8(Critical)

The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives. Note: It has been argued that "The vulnerability reported in PDF ...

CWE-4362019