Multiple vulnerabilities in Zulip server
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-30487 CVE-2021-30479 CVE-2021-30478 CVE-2021-30477 |
| CWE-ID | CWE-284 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Zulip Server Web applications / Other software |
| Vendor | Zulip |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU52314
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-30487
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the topic moving API. A remote administrator can move messages to streams in other organizations hosted by the same Zulip installation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZulip Server: 3.0 - 3.3
CPE2.3- cpe:2.3:a:zulip:zulip_server:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:zulip:zulip_server:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:zulip:zulip_server:3.2:*:*:*:*:*:*:*
https://blog.zulip.com/2021/04/14/zulip-server-3-4/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU52316
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-30479
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in the implementation of the "all_public_streams" API feature. A remote attacker can receive message traffic to public streams that should have been only accessible to members of the organization.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZulip Server: 3.0 - 3.3
CPE2.3- cpe:2.3:a:zulip:zulip_server:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:zulip:zulip_server:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:zulip:zulip_server:3.2:*:*:*:*:*:*:*
https://blog.zulip.com/2021/04/14/zulip-server-3-4/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU52317
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-30478
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the implementation of the "can_forge_sender" permission. A remote authenticated attacker can send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZulip Server: 3.0 - 3.3
CPE2.3- cpe:2.3:a:zulip:zulip_server:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:zulip:zulip_server:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:zulip:zulip_server:3.2:*:*:*:*:*:*:*
https://blog.zulip.com/2021/04/14/zulip-server-3-4/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU52318
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-30477
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the implementation of replies to messages sent by outgoing webhooks to private streams. A remote attacker can use an outgoing webhook bot to send messages to private streams.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZulip Server: 3.0 - 3.3
CPE2.3- cpe:2.3:a:zulip:zulip_server:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:zulip:zulip_server:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:zulip:zulip_server:3.2:*:*:*:*:*:*:*
https://blog.zulip.com/2021/04/14/zulip-server-3-4/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
