Skip to content

Insufficient authorization check for changing bot roles in Zulip Server

Moderate
andersk published GHSA-c3cp-ggg5-9xw5 Jul 22, 2022

Package

Zulip Server (Application)

Affected versions

< 5.5

Patched versions

5.5

Description

Impact

Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots.

Patches

The vulnerability is fixed in Zulip Server 5.5.

Workarounds

Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. An organization administrator can restrict the Who can create bots permission to administrators only, and change the ownership of existing bots.

For more information

If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVE ID

CVE-2022-31168

Weaknesses