Improper access control in Zulip Server - CVE-2024-27286

 

Improper access control in Zulip Server - CVE-2024-27286

Published: March 20, 2024


Vulnerability identifier: #VU87651
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-27286
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Zulip
Affected software:
Zulip Server

Detailed vulnerability description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to an error in the moving messages feature when moving messages between stream or unsubscribing users from a stream. A remote user who previously had access to a stream can continue reading messages.


How to mitigate CVE-2024-27286

Install updates from vendor's website.

Sources