SB2023052002 - Multiple vulnerabilities in Zulip Server
Published: May 20, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Privilege Management (CVE-ID: CVE-2023-32677)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improper privilege management when sending invitations. A remote user can add other users to streams when they are not authorized to do so.
2) Improper authorization (CVE-ID: CVE-2023-28623)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to an error in the registration process. A remote attacker can register a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory.
Successful exploitation of the vulnerability requires that ZulipLDAPAuthBackend and an external authentication backend (any aside of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py and that the organization permissions don't require invitations to join.
Remediation
Install update from vendor's website.
References
- https://github.com/zulip/zulip/commit/7c2693a2c64904d1d0af8503b57763943648cbe5
- https://zulip.com/help/restrict-account-creation#change-who-can-send-invitations
- https://github.com/zulip/zulip/security/advisories/GHSA-mrvp-96q6-jpvc
- https://github.com/zulip/zulip/releases/tag/6.2
- https://github.com/zulip/zulip/commit/3df1b4dd7c210c21deb6f829df19412b74573f8d
- https://github.com/zulip/zulip/security/advisories/GHSA-7p62-pjwg-56rv