PT-2022-16855 · Zulip · Zulip

Alexmv

Published

2022-03-16

Updated

2022-03-22

CVE-2022-24751

CVSS v2.0

5.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Zulip versions 4.0 through 4.10

Description Zulip is an open source group chat application that is vulnerable to a race condition during account deactivation. This issue may allow continued access by a deactivated user in rare cases if there is simultaneous access by the user being deactivated.

Recommendations For Zulip versions 4.0 through 4.10, upgrade to version 4.11 on the 4.x branch or version 5.0-rc1 on the 5.x branch to resolve the issue. Upgrading to a fixed version will deactivate any cached sessions that may have been leaked through this bug.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

CVE-2022-24751

GHSA-6V98-M5X5-PHQJ

Affected Products

Zulip

PT-2022-16855 · Zulip · Zulip

CVE-2022-24751

Weakness Enumeration

Related Identifiers

Affected Products

References · 7