Zulip Server public data export contains attachments that are non-public
CVE-2022-31134

4.9MEDIUM

Key Information:

Vendor

Zulip

Status
Zulip
Vendor
CVE Published:
12 July 2022

What is CVE-2022-31134?

Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to administrators, in many configurations server administrators are not expected to have access to private messages and private streams. However, the "public data" export which administrators could generate contained the attachment contents for all attachments, even those from private messages and streams. Zulip Server version 5.4 contains a patch for this issue.

Affected Version(s)

zulip >= 2.1.0, < 5.4

References

https://github.com/zulip/zulip/security/advisories/GHSA-5...
x_refsource_CONFIRM
https://blog.zulip.com/2022/07/12/zulip-cloud-data-exports
x_refsource_MISC
https://blog.zulip.com/2022/07/12/zulip-server-5-4-securi...
x_refsource_MISC

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.