CVE-2022-21706

Name of the Vulnerable Software and Affected Versions Zulip Server versions 2.0.0 through 4.9

Description Zulip is an open-source team collaboration tool with topic-based threading. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack where an invitation created in one organization can be used to join any other organization. This bypasses any restrictions on required domains on users' email addresses, may be used to gain access to organizations which are only accessible by invitation, and may be used to gain access with elevated privileges.

Recommendations For Zulip Server versions 2.0.0 through 4.9, upgrade to release 4.10 to patch the issue. At the moment, there are no known workarounds for this issue.