Lucene search

[email protected]NVD:CVE-2023-32678

HistoryAug 25, 2023 - 9:15 p.m.

CVE-2023-32678

2023-08-2521:15:08

CWE-285

[email protected]

web.nvd.nist.gov

cve-2023-32678

zulip

unauthorized access

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.2%

JSON

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, move messages to other streams, and delete messages that they used to have access to, if other relevant organization permissions allow these actions. For example, a user may be able to edit or delete their old messages they posted in such a private stream. An administrator will be able to delete old messages (that they had access to) from the private stream. This issue was fixed in Zulip Server version 7.3.

Affected configurations

NVD

Node

zulipzulip_serverRange<7.3

References

github.com/zulip/zulip/security/advisories/GHSA-q3wg-jm9p-35fj

zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-7-3

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.2%

JSON

Related for NVD:CVE-2023-32678

cvelist1 cve1 osv1 prion1