Skip to content

Public data export contains attachments that are non-public

Moderate
alexmv published GHSA-58pm-88xp-7x9m Jul 12, 2022

Package

Zulip Server (Application)

Affected versions

> 2.1.0, < 5.4

Patched versions

5.4

Description

Impact

Since Zulip Server 2.1.0, administrators of Zulip organizations can export public data from their organization via the organization settings menu. The exports include all the data that appears in public streams, and can be used to migrate from Zulip Cloud to self-hosting Zulip. Note that exporting private data is a separate process that requires command-line access to the Zulip server.

Due to a bug in the public export code, exports of public data contained all uploaded files, even those from private messages and private streams. This may have allowed organization owners or administrators to extract uploaded files that they were not otherwise allowed to access. The content of non-public messages was never included in public exports.

References

For more information

If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.

Severity

Moderate
4.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2022-31134

Weaknesses

No CWEs