Vulnerability Description
An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to join. The issue affects all previously released versions of the Zulip server.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zulip | Zulip Server | < 1.4.3 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/97159Third Party AdvisoryVendor Advisory
- https://github.com/zulip/zulip/commit/7ecda1ac8e26d8fb3725e954b2dc4723dda2255fPatchThird Party Advisory
- https://groups.google.com/d/msg/zulip-announce/VyawgRuoY34/NTBwnTArGwAJPatchRelease NotesThird Party Advisory
- http://www.securityfocus.com/bid/97159Third Party AdvisoryVendor Advisory
- https://github.com/zulip/zulip/commit/7ecda1ac8e26d8fb3725e954b2dc4723dda2255fPatchThird Party Advisory
- https://groups.google.com/d/msg/zulip-announce/VyawgRuoY34/NTBwnTArGwAJPatchRelease NotesThird Party Advisory
FAQ
What is CVE-2017-0881?
CVE-2017-0881 is a vulnerability with a CVSS score of 4.3 (MEDIUM). An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a priv...
How severe is CVE-2017-0881?
CVE-2017-0881 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-0881?
Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip Server.