Vulnerability Description
Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zulip | Zulip | < 5.5 |
Related Weaknesses (CWE)
References
- https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034PatchThird Party Advisory
- https://github.com/zulip/zulip/releases/tag/5.5Release NotesThird Party Advisory
- https://github.com/zulip/zulip/security/advisories/GHSA-c3cp-ggg5-9xw5Third Party Advisory
- https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034PatchThird Party Advisory
- https://github.com/zulip/zulip/releases/tag/5.5Release NotesThird Party Advisory
- https://github.com/zulip/zulip/security/advisories/GHSA-c3cp-ggg5-9xw5Third Party Advisory
FAQ
What is CVE-2022-31168?
CVE-2022-31168 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administra...
How severe is CVE-2022-31168?
CVE-2022-31168 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-31168?
Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip.