SB2022022802 - Multiple vulnerabilities in Zulip server
Published: February 28, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2022-21706)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to a reusable invitation link can be used to join a different organization than the one it was created for. A remote user can join an organization without an invitation and gain elevated pririvleges.
2) Improper access control (CVE-ID: CVE-2021-3967)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user who gets the user's valid session can call vulnerable API to extract the api_key value without user's password.
Remediation
Install update from vendor's website.
References
- https://github.com/zulip/zulip/security/advisories/GHSA-6xmj-2wcm-p2jc
- https://blog.zulip.com/2022/02/25/zulip-cloud-invitation-vulnerability/
- https://github.com/zulip/zulip/commit/88917019f03860609114082cdc0f31a561503f9e
- https://blog.zulip.com/2022/02/25/zulip-server-4-10-security-release/#cve-2022-21706
- https://huntr.dev/bounties/2928a625-0467-4a0a-b4e2-e27322786686
- https://github.com/zulip/zulip/commit/d5db254ca8167995a1654d1c45ffc74b2fade39a