Improper access control in Zulip Server - CVE-2021-30477

 

Improper access control in Zulip Server - CVE-2021-30477

Published: April 19, 2021


Vulnerability identifier: #VU52318
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-30477
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Zulip
Affected software:
Zulip Server

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the implementation of replies to messages sent by outgoing webhooks to private streams. A remote attacker can use an outgoing webhook bot to send messages to private streams.


How to mitigate CVE-2021-30477

Install updates from vendor's website.

Sources