CVE-2023-32677 : Zulip is an open-source team collaboration tool with unique topic-based threadin

Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows a user to invite a new user also allows them to set the streams that the new user is invited to -- even if the inviting user would not have permissions to add an existing user to streams. While such a configuration is likely rare in practice, the behavior does violate security-related controls. This does not let a user invite new users to streams they cannot see, or would not be able to add users to if they had that general permission. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may limit sending of invitations down to users who also have the permission to add users to streams.

Published 2023-05-19 21:15:09

Updated 2023-05-26 17:28:43

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-32677

Zulip » Zulip
Versions before (<) 6.2
cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-32677

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 30 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-32677

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.1	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N	1.6	1.4	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
3.1	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N	1.6	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2023-32677

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2023-32677

https://zulip.com/help/restrict-account-creation#change-who-can-send-invitations

Restrict account creation | Zulip help center
Product

CVEs referencing this url
https://zulip.com/help/configure-who-can-invite-to-streams

Restrict stream invitation | Zulip help center
Product

CVEs referencing this url
https://github.com/zulip/zulip/commit/7c2693a2c64904d1d0af8503b57763943648cbe5

CVE-2023-32677: Check permission to subscribe other users in invites. · zulip/zulip@7c2693a · GitHub
Patch;Third Party Advisory
https://github.com/zulip/zulip/security/advisories/GHSA-mrvp-96q6-jpvc

Users who can send invitations can add users to streams during invitation, even if they cannot add users to streams at other times · Advisory · zulip/zulip · GitHub
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-32677

Products affected by CVE-2023-32677

Exploit prediction scoring system (EPSS) score for CVE-2023-32677

CVSS scores for CVE-2023-32677

CWE ids for CVE-2023-32677

References for CVE-2023-32677