Impact
Since Zulip Server 2.1.0, administrators of Zulip organizations can export public data from their organization via the organization settings menu. The exports include all the data that appears in public streams, and can be used to migrate from Zulip Cloud to self-hosting Zulip. Note that exporting private data is a separate process that requires command-line access to the Zulip server.
Due to a bug in the public export code, exports of public data contained all uploaded files, even those from private messages and private streams. This may have allowed organization owners or administrators to extract uploaded files that they were not otherwise allowed to access. The content of non-public messages was never included in public exports.
References
For more information
If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.
Impact
Since Zulip Server 2.1.0, administrators of Zulip organizations can export public data from their organization via the organization settings menu. The exports include all the data that appears in public streams, and can be used to migrate from Zulip Cloud to self-hosting Zulip. Note that exporting private data is a separate process that requires command-line access to the Zulip server.
Due to a bug in the public export code, exports of public data contained all uploaded files, even those from private messages and private streams. This may have allowed organization owners or administrators to extract uploaded files that they were not otherwise allowed to access. The content of non-public messages was never included in public exports.
References
For more information
If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.