Description
Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to administrators, in many configurations server administrators are not expected to have access to private messages and private streams. However, the "public data" export which administrators could generate contained the attachment contents for all attachments, even those from private messages and streams. Zulip Server version 5.4 contains a patch for this issue.
References (3)
Core 3
Core References
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/zulip/zulip/security/advisories/GHSA-58pm-88xp-7x9m
Vendor Advisory x_refsource_misc
https://blog.zulip.com/2022/07/12/zulip-cloud-data-exports
Release Notes, Vendor Advisory x_refsource_misc
https://blog.zulip.com/2022/07/12/zulip-server-5-4-security-release
Scores
CVSS v3
4.9
EPSS
0.0040
EPSS Percentile
60.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-434
CWE-200
Status
published
Products (1)
zulip/zulip_server
2.1.0 - 5.4
Published
Jul 12, 2022
Tracked Since
Feb 18, 2026