Multiple vulnerabilities in Zulip server



Published: 2021-04-19
Risk Medium
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2021-30487
CVE-2021-30479
CVE-2021-30478
CVE-2021-30477
CWE ID CWE-284
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Zulip Server
Web applications / Other software

Vendor Zulip

Security Advisory

1) Improper access control

Risk: Low

CVSSv3.1: 3.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30487

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the topic moving API. A remote administrator can move messages to streams in other organizations hosted by the same Zulip installation.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zulip Server: 3.0, 3.1, 3.2, 3.3

CPE External links

https://blog.zulip.com/2021/04/14/zulip-server-3-4/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-30479

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the implementation of the "all_public_streams" API feature. A remote attacker can receive message traffic to public streams that should have been only accessible to members of the organization.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zulip Server: 3.0, 3.1, 3.2, 3.3

CPE External links

https://blog.zulip.com/2021/04/14/zulip-server-3-4/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper access control

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30478

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the implementation of the "can_forge_sender" permission. A remote authenticated attacker can send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zulip Server: 3.0, 3.1, 3.2, 3.3

CPE External links

https://blog.zulip.com/2021/04/14/zulip-server-3-4/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper access control

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-30477

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the implementation of replies to messages sent by outgoing webhooks to private streams. A remote attacker can use an outgoing webhook bot to send messages to private streams.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zulip Server: 3.0, 3.1, 3.2, 3.3

CPE External links

https://blog.zulip.com/2021/04/14/zulip-server-3-4/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###