Impact
Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots.
Patches
The vulnerability is fixed in Zulip Server 5.5.
Workarounds
Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. An organization administrator can restrict the Who can create bots permission to administrators only, and change the ownership of existing bots.
For more information
If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.
Impact
Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots.
Patches
The vulnerability is fixed in Zulip Server 5.5.
Workarounds
Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. An organization administrator can restrict the Who can create bots permission to administrators only, and change the ownership of existing bots.
For more information
If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.