Impact
Zulip allows a stream to be configured as private with protected history, which means that new subscribers should not be allowed to see old messages in the stream that were sent before they were subscribed. However, due to a logic bug in Zulip Server 2.1.0 and later, if one of these old messages is later edited, the server would incorrectly send an API event including the edited message to all of the stream’s current subscribers, including those who should not have access to the old message. This API event is ignored by official clients, so it could only be observed by a user using a modified client or their browser’s developer tools.
Patches
This bug will be fixed in Zulip Server 5.3.
For more information
If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.
Impact
Zulip allows a stream to be configured as private with protected history, which means that new subscribers should not be allowed to see old messages in the stream that were sent before they were subscribed. However, due to a logic bug in Zulip Server 2.1.0 and later, if one of these old messages is later edited, the server would incorrectly send an API event including the edited message to all of the stream’s current subscribers, including those who should not have access to the old message. This API event is ignored by official clients, so it could only be observed by a user using a modified client or their browser’s developer tools.
Patches
This bug will be fixed in Zulip Server 5.3.
For more information
If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.