Autsubscribe Flaw in Zulip Group Chat Application
CVE-2017-0881

4.3MEDIUM

Key Information:

Vendor

Zulip

Status
Zulip Server Versions 1.4.2 And Below
Vendor
CVE Published:
28 March 2017

What is CVE-2017-0881?

A flaw in the autosubscribe feature of the Zulip group chat application's check_stream_exists route permitted authenticated users to subscribe to private streams without the necessary invitation. This vulnerability affects all versions of the Zulip server prior to 1.4.3, potentially compromising user privacy and the integrity of private conversations.

Affected Version(s)

Zulip Server 1.4.2 and below Zulip Server Versions 1.4.2 and below

References

http://www.securityfocus.com/bid/97159
vdb-entryx_refsource_BID
https://groups.google.com/d/msg/zulip-announce/VyawgRuoY3...
x_refsource_MISC
https://github.com/zulip/zulip/commit/7ecda1ac8e26d8fb372...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.