Vulnerability Description
Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when edited causes the server to incorrectly send an API event that includes the edited message to all of the stream’s current subscribers. This API event is ignored by official clients, but can be observed by using a modified client or the browser’s developer tools. This bug will be fixed in Zulip Server 5.3. There are no known workarounds.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zulip | Zulip | >= 2.1.0, < 5.3 |
Related Weaknesses (CWE)
References
- https://github.com/zulip/zulip/security/advisories/GHSA-m5j3-jp59-6f3qThird Party Advisory
- https://github.com/zulip/zulip/security/advisories/GHSA-m5j3-jp59-6f3qThird Party Advisory
FAQ
What is CVE-2022-31017?
CVE-2022-31017 is a vulnerability with a CVSS score of 2.0 (LOW). Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers ...
How severe is CVE-2022-31017?
CVE-2022-31017 has been rated LOW with a CVSS base score of 2.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-31017?
Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip.