CVE-2017-0896 — MEDIUM (6.5)

Vulnerability Description

Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured to prevent this.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Zulip	Zulip Server	1.3.0

Related Weaknesses (CWE)

CWE-285 CWE-862

References

https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761bIssue TrackingPatch
https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ
https://hackerone.com/reports/224210Permissions Required
https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761bIssue TrackingPatch
https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ
https://hackerone.com/reports/224210Permissions Required

FAQ

What is CVE-2017-0896?

CVE-2017-0896 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite oth...

How severe is CVE-2017-0896?

CVE-2017-0896 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-0896?

Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip Server.