← Back

CVE-2024-21630

nvd nist
Published: Jan 25, 2024Modified: Nov 21, 2024

JSON object

Loading...
4.3
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Exploitability: 2.8 / Impact: 1.4
Source: NVD

Description

Zulip is an open-source team collaboration tool. A vulnerability in version 8.0 is similar to CVE-2023-32677, but applies to multi-use invitations, not single-use invitation links as in the prior CVE. Specifically, it applies when the installation has configured non-admins to be able to invite users and create multi-use invitations, and has also configured only admins to be able to invite users to streams. As in CVE-2023-32677, this does not let users invite new users to arbitrary streams, only to streams that the inviter can already see. Version 8.1 fixes this issue. As a workaround, administrators can limit sending of invitations down to users who also have the permission to add users to streams.

Affected (2)

Products: Zulip: Zulip Server
Zulip
1 product
Zulip Server
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Zulip
Zulip Server
From 1.9.0 to 6.2
Zulip Server
From 8.0 to 8.1

Related CWEs

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (10)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Vendor Advisory
Source: security-advisories@github.com
Vendor Advisory
Source: security-advisories@github.com
Product
Source: security-advisories@github.com
Product
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Product
Source: af854a3a-2127-422b-91ae-364da2661108
Product

Timeline

No history available yet.