SB2021041904 - Multiple vulnerabilities in Zulip server

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2021-30487)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the topic moving API. A remote administrator can move messages to streams in other organizations hosted by the same Zulip installation.

2) Information disclosure (CVE-ID: CVE-2021-30479)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the implementation of the "all_public_streams" API feature. A remote attacker can receive message traffic to public streams that should have been only accessible to members of the organization.

3) Improper access control (CVE-ID: CVE-2021-30478)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the implementation of the "can_forge_sender" permission. A remote authenticated attacker can send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation.

4) Improper access control (CVE-ID: CVE-2021-30477)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the implementation of replies to messages sent by outgoing webhooks to private streams. A remote attacker can use an outgoing webhook bot to send messages to private streams.

Remediation

Install update from vendor's website.

References

• https://blog.zulip.com/2021/04/14/zulip-server-3-4/