Skip to content

Zulip Server exposes edit events for old messages to new subscribers in protected-history streams

Low
alexmv published GHSA-m5j3-jp59-6f3q Jun 21, 2022

Package

Zulip Server (Application)

Affected versions

2.1.0 through 5.2

Patched versions

5.3

Description

Impact

Zulip allows a stream to be configured as private with protected history, which means that new subscribers should not be allowed to see old messages in the stream that were sent before they were subscribed. However, due to a logic bug in Zulip Server 2.1.0 and later, if one of these old messages is later edited, the server would incorrectly send an API event including the edited message to all of the stream’s current subscribers, including those who should not have access to the old message. This API event is ignored by official clients, so it could only be observed by a user using a modified client or their browser’s developer tools.

Patches

This bug will be fixed in Zulip Server 5.3.

For more information

If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.

Severity

Low
2.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2022-31017

Weaknesses