Skip to content

Non-constant-time SCIM token comparison in Zulip Server

Moderate
alexmv published GHSA-q5gx-377v-w76f Nov 16, 2022

Package

Zulip Server (Application)

Affected versions

5.0 through 5.6

Patched versions

5.7

Description

Impact

Zulip Server 5.0 through 5.6 checked SCIM bearer tokens using a comparator that did not run in constant time. For organizations with SCIM account management enabled, this bug theoretically allowed an attacker to steal the SCIM bearer token, and use it to read and update the Zulip organization’s user accounts. In practice, this vulnerability may not have been practical or exploitable.

Workarounds

Organizations where SCIM account management has not been enabled are not affected.

For more information

If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.

Severity

Moderate
4.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVE ID

CVE-2022-41914

Weaknesses