Vulnerability Description
Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to administrators, in many configurations server administrators are not expected to have access to private messages and private streams. However, the "public data" export which administrators could generate contained the attachment contents for all attachments, even those from private messages and streams. Zulip Server version 5.4 contains a patch for this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zulip | Zulip Server | >= 2.1.0, < 5.4 |
Related Weaknesses (CWE)
References
- https://blog.zulip.com/2022/07/12/zulip-cloud-data-exportsVendor Advisory
- https://blog.zulip.com/2022/07/12/zulip-server-5-4-security-releaseRelease NotesVendor Advisory
- https://github.com/zulip/zulip/security/advisories/GHSA-58pm-88xp-7x9mRelease NotesThird Party Advisory
- https://blog.zulip.com/2022/07/12/zulip-cloud-data-exportsVendor Advisory
- https://blog.zulip.com/2022/07/12/zulip-server-5-4-security-releaseRelease NotesVendor Advisory
- https://github.com/zulip/zulip/security/advisories/GHSA-58pm-88xp-7x9mRelease NotesThird Party Advisory
FAQ
What is CVE-2022-31134?
CVE-2022-31134 is a vulnerability with a CVSS score of 4.9 (MEDIUM). Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to downl...
How severe is CVE-2022-31134?
CVE-2022-31134 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-31134?
Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip Server.