CVE-2023-28623

MEDIUM

Zulip - Info Disclosure

Title source: llm

Description

Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/zulip/zulip/security/advisories/GHSA-7p62-pjwg-56rv

Patch, Third Party Advisory x_refsource_misc

https://github.com/zulip/zulip/commit/3df1b4dd7c210c21deb6f829df19412b74573f8d

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0007

EPSS Percentile 20.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862 CWE-285

Status published

Products (1)

zulip/zulip < 6.2

Published May 19, 2023

Tracked Since Feb 18, 2026