PT-2022-20554 · Unknown · Zulip Server

Alexmv

Published

2022-07-12

Updated

2022-07-22

CVE-2022-31134

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Zulip Server versions 2.1.0 through 5.3

Description Zulip is an open-source team collaboration tool. It has a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. However, this export contains the attachment contents for all attachments, even those from private messages and streams, potentially allowing administrators to access private information they are not expected to have access to.

Recommendations For Zulip Server versions 2.1.0 through 5.3, update to version 5.4 to resolve the issue.

Exploit

Fix

Information Disclosure

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-434

Related Identifiers

CVE-2022-31134

GHSA-58PM-88XP-7X9M

Affected Products

Zulip Server

PT-2022-20554 · Unknown · Zulip Server

CVE-2022-31134

Weakness Enumeration

Related Identifiers

Affected Products

References · 7