Improper authorization in Zulip Server - CVE-2023-28623

 

Improper authorization in Zulip Server - CVE-2023-28623

Published: May 20, 2023


Vulnerability identifier: #VU76393
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-28623
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Zulip
Affected software:
Zulip Server

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to an error in the registration process. A remote attacker can register a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory.

Successful exploitation of the vulnerability requires that ZulipLDAPAuthBackend and an external authentication backend (any aside of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py and that the organization permissions don't require invitations to join.


How to mitigate CVE-2023-28623

Install updates from vendor's website.

Sources