PT-2022-20582 · Unknown · Zulip Server

Andersk

Published

2022-07-22

Updated

2022-07-29

CVE-2022-31168

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Zulip Server versions 5.4 and earlier

Description The issue arises from an incorrect authorization check in Zulip Server, allowing a member of an organization to craft an API call that grants organization administrator privileges to one of their bots. Members who don’t own any bots and lack permission to create them can’t exploit this issue.

Recommendations For Zulip Server versions 5.4 and earlier, update to Zulip Server 5.5 to fix the issue. As a temporary workaround, an organization administrator can restrict the Who can create bots permission to administrators only, and change the ownership of existing bots.

Exploit

Fix

Incorrect Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-285

Related Identifiers

CVE-2022-31168

GHSA-C3CP-GGG5-9XW5

Affected Products

Zulip Server

PT-2022-20582 · Unknown · Zulip Server

CVE-2022-31168

Weakness Enumeration

Related Identifiers

Affected Products

References · 7