← Voltar para CVEs
CVE-2022-31134
MEDIUM4.9
Descricao
Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to administrators, in many configurations server administrators are not expected to have access to private messages and private streams. However, the "public data" export which administrators could generate contained the attachment contents for all attachments, even those from private messages and streams. Zulip Server version 5.4 contains a patch for this issue.
Detalhes CVE
Pontuacao CVSS v3.14.9
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosHIGH
Interacao do usuarioNONE
Publicado7/12/2022
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
zulip:zulip_server
Fraquezas (CWE)
CWE-200CWE-434
Referencias
https://blog.zulip.com/2022/07/12/zulip-cloud-data-exports(security-advisories@github.com)
https://blog.zulip.com/2022/07/12/zulip-server-5-4-security-release(security-advisories@github.com)
https://github.com/zulip/zulip/security/advisories/GHSA-58pm-88xp-7x9m(security-advisories@github.com)
https://blog.zulip.com/2022/07/12/zulip-cloud-data-exports(af854a3a-2127-422b-91ae-364da2661108)
https://blog.zulip.com/2022/07/12/zulip-server-5-4-security-release(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zulip/zulip/security/advisories/GHSA-58pm-88xp-7x9m(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.