CVE-2022-41914

Name of the Vulnerable Software and Affected Versions Zulip Server versions 5.0 through 5.6

Description Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity Management (SCIM) account management enabled, it might theoretically be possible for an attacker to infer the value of the SCIM bearer token by performing a sophisticated timing analysis on a large number of failing requests. If successful, this would allow the attacker to impersonate the SCIM client for its abilities to read and update user accounts in the Zulip organization.

Recommendations For Zulip Server versions 5.0 through 5.6, consider disabling SCIM account management until a patch is available to prevent potential exploitation. Restrict access to the SCIM client to minimize the risk of impersonation. Avoid using the SCIM bearer token in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.