Multiple vulnerabilities in Zulip server
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-21706 CVE-2021-3967 |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software Subscribe |
Zulip Server Web applications / Other software |
| Vendor | Zulip |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU60897
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21706
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to a reusable invitation link can be used to join a different organization than the one it was created for. A remote user can join an organization without an invitation and gain elevated pririvleges.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZulip Server: 2.0.0 - 4.9
External linkshttp://github.com/zulip/zulip/security/advisories/GHSA-6xmj-2wcm-p2jc
http://blog.zulip.com/2022/02/25/zulip-cloud-invitation-vulnerability/
http://github.com/zulip/zulip/commit/88917019f03860609114082cdc0f31a561503f9e
http://blog.zulip.com/2022/02/25/zulip-server-4-10-security-release/#cve-2022-21706
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU60898
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2021-3967
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user who gets the user's valid session can call vulnerable API to extract the api_key value without user's password.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZulip Server: 1.1.5 - 4.9
External linkshttp://huntr.dev/bounties/2928a625-0467-4a0a-b4e2-e27322786686
http://github.com/zulip/zulip/commit/d5db254ca8167995a1654d1c45ffc74b2fade39a
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
