Exponential Backtracking Vulnerability in Zulip Server by Zulip
CVE-2019-16215

6.5MEDIUM

Key Information:

Vendor: Zulip
Status: Zulip Server
Vendor: CVE Published:; 18 September 2019

What is CVE-2019-16215?

The Markdown parser in Zulip server prior to version 2.0.5 is affected by an exponential backtracking vulnerability due to its faulty regular expression implementation. This flaw allows an authenticated user to send specially crafted messages that can cause the server to consume excessive CPU resources. As a result, the message processing can stall, leading to a denial-of-service condition. This can significantly impact server performance and user experience, necessitating the need for immediate updates to protect against such issues.

References

https://blog.zulip.org/2019/09/11/zulip-server-2-0-5-secu...

x_refsource_CONFIRM

https://github.com/zulip/zulip/commit/5797f013b3be450c146...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 18, 2019
Vulnerability Reserved
Sep 11, 2019