CVE-2023-28623 — MEDIUM (6.5)

Q: How severe is CVE-2023-28623?

CVE-2023-28623 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-28623?

Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip.

Vulnerability Description

Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Zulip	Zulip	< 6.2

Related Weaknesses (CWE)

CWE-285 CWE-862

References

https://github.com/zulip/zulip/commit/3df1b4dd7c210c21deb6f829df19412b74573f8dPatchThird Party Advisory
https://github.com/zulip/zulip/security/advisories/GHSA-7p62-pjwg-56rvThird Party Advisory
https://github.com/zulip/zulip/commit/3df1b4dd7c210c21deb6f829df19412b74573f8dPatchThird Party Advisory
https://github.com/zulip/zulip/security/advisories/GHSA-7p62-pjwg-56rvThird Party Advisory

FAQ

What is CVE-2023-28623?

CVE-2023-28623 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBacken...

How severe is CVE-2023-28623?

CVE-2023-28623 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-28623?

Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip.