Skip to main content

Zulip Server CVE-2024-21630

MEDIUM
Missing Authorization (CWE-862)
2024-01-25 security-advisories@github.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 25, 2024 - 20:15 nvd
MEDIUM 4.3

DescriptionNVD

Zulip is an open-source team collaboration tool. A vulnerability in version 8.0 is similar to CVE-2023-32677, but applies to multi-use invitations, not single-use invitation links as in the prior CVE. Specifically, it applies when the installation has configured non-admins to be able to invite users and create multi-use invitations, and has also configured only admins to be able to invite users to streams. As in CVE-2023-32677, this does not let users invite new users to arbitrary streams, only to streams that the inviter can already see. Version 8.1 fixes this issue. As a workaround, administrators can limit sending of invitations down to users who also have the permission to add users to streams.

AnalysisAI

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. Zulip is an open-source team collaboration tool. A vulnerability in version 8.0 is similar to CVE-2023-32677, but applies to multi-use invitations, not single-use invitation links as in the prior CVE. Specifically, it applies when the installation has configured non-admins to be able to invite users and create multi-use invitations, and has also configured only admins to be able to invite users to streams. As in CVE-2023-32677, this does not let users invite new users to arbitrary streams, only to streams that the inviter can already see. Version 8.1 fixes this issue. As a workaround, administrators can limit sending of invitations down to users who also have the permission to add users to streams. Affected products include: Zulip Zulip Server. Version information: version 8.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2022-21706 CRITICAL
9.8 Feb 26

Zulip is an open-source team collaboration tool with topic-based threading. Rated critical severity (CVSS 9.8), this vul

CVE-2019-18933 CRITICAL
9.8 Nov 21

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registere

CVE-2020-10935 MEDIUM POC
5.4 Apr 20

Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover. Rated medium severity (CVSS 5

CVE-2017-0910 HIGH
8.8 Nov 27

In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authori

CVE-2020-15070 HIGH
8.8 Aug 21

Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres

CVE-2025-31478 HIGH
8.2 Apr 16

Zulip is an open-source team collaboration tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploita

CVE-2024-36612 HIGH
7.5 Nov 29

Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers. Rated high severity (CVSS 7.5),

CVE-2020-14215 HIGH
7.5 Aug 21

Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrato

CVE-2025-52559 MEDIUM
6.8 Jul 02

Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL

CVE-2017-0896 MEDIUM
6.5 Jun 02

Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zuli

CVE-2024-27286 MEDIUM
6.5 Mar 20

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2023-32678 MEDIUM
6.5 Aug 25

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium se

Share

CVE-2024-21630 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy