CVE-2022-31168

Description

Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who donâ€™t own any bots, and lack permission to create them, canâ€™t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots.

Related CPE's

a zulip zulip ********

References

https://github.com/zulip/zulip/releases/tag/5.5

Release NotesThird Party Advisory

https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034

PatchThird Party Advisory

https://github.com/zulip/zulip/security/advisories/GHSA-c3cp-ggg5-9xw5

Third Party Advisory

CvssV3 impact

Could not find any metrics

CvssV2 impact

Could not find any metrics

Created by Yello

About Severity.io