CVE-2022-31168

22.07.2022, 13:15

Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who dont own any bots, and lack permission to create them, cant exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
GitHub_M	CNA	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Vendor	Product	Version
zulip	zulip	𝑥 < 5.5

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-285 - Improper Authorization
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034

https://github.com/zulip/zulip/releases/tag/5.5

https://github.com/zulip/zulip/security/advisories/GHSA-c3cp-ggg5-9xw5

https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034

https://github.com/zulip/zulip/releases/tag/5.5

https://github.com/zulip/zulip/security/advisories/GHSA-c3cp-ggg5-9xw5