Skip to content

Crafted link in Zulip message can cause disclosure of credentials

High
gnprice published GHSA-4gj2-j32x-4wg5 Aug 24, 2022

Package

Zulip Mobile (mobile app)

Affected versions

up to v27.189

Patched versions

v27.190

Description

Impact

In Zulip Mobile versions up through v27.189, a crafted, malformed image link in a message sent by an authenticated user could lead to credential disclosure for a user who taps the image link.

This issue was discovered internally by the Zulip team. A complete audit on Zulip Cloud determined the vulnerability has never been exploited there.

Patches

This vulnerability is fixed in Zulip Mobile version v27.190.

Workarounds

Upgrading the Zulip server to Zulip Server 5.6 or later will prevent sending malformed links, making it impossible for this issue to be exploited. Zulip Cloud has been similarly upgraded.

References

For more information

If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.

Severity

High
8.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2022-35962