Main Vulnerability Database Vulnerabilities #VU52318

#VU52318 Improper access control in Zulip Server - CVE-2021-30477

Published: April 19, 2021

Vulnerability identifier: #VU52318

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-30477

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Zulip Server

Software vendor:
Zulip

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the implementation of replies to messages sent by outgoing webhooks to private streams. A remote attacker can use an outgoing webhook bot to send messages to private streams.

Remediation

Install updates from vendor's website.

External links

https://blog.zulip.com/2021/04/14/zulip-server-3-4/