Improper Access Control in Zulip Server by Zulip
CVE-2021-30477

4.3MEDIUM

Key Information:

Vendor: Zulip
Status: Zulip Server
Vendor: CVE Published:; 15 April 2021

What is CVE-2021-30477?

A vulnerability in Zulip Server versions prior to 3.4 allows an outgoing webhook bot to send messages to private streams without proper authorization. This flaw stems from a coding issue where the intended access control mechanisms are bypassed, enabling users to interact with streams they aren't supposed to access. As a result, sensitive information could be inadvertently exposed, highlighting the importance of ensuring robust access control measures in messaging applications.

References

https://blog.zulip.com/2021/04/14/zulip-server-3-4/

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 15, 2021
Vulnerability Reserved
Apr 9, 2021

JSON