← Volver a CVEs
CVE-2022-31134
MEDIUM4.9
Descripcion
Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to administrators, in many configurations server administrators are not expected to have access to private messages and private streams. However, the "public data" export which administrators could generate contained the attachment contents for all attachments, even those from private messages and streams. Zulip Server version 5.4 contains a patch for this issue.
Detalles CVE
Puntuacion CVSS v3.14.9
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosHIGH
Interaccion usuarioNONE
Publicado7/12/2022
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
zulip:zulip_server
Debilidades (CWE)
CWE-200CWE-434
Referencias
https://blog.zulip.com/2022/07/12/zulip-cloud-data-exports(security-advisories@github.com)
https://blog.zulip.com/2022/07/12/zulip-server-5-4-security-release(security-advisories@github.com)
https://github.com/zulip/zulip/security/advisories/GHSA-58pm-88xp-7x9m(security-advisories@github.com)
https://blog.zulip.com/2022/07/12/zulip-cloud-data-exports(af854a3a-2127-422b-91ae-364da2661108)
https://blog.zulip.com/2022/07/12/zulip-server-5-4-security-release(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zulip/zulip/security/advisories/GHSA-58pm-88xp-7x9m(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.