CVE-2019-18933
First published: Thu Nov 21 2019(Updated: )
In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zulip Zulip Server | >=1.7.0<2.0.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-18933?
CVE-2019-18933 is a vulnerability in Zulip Server versions from 1.7.0 to before 2.0.7.
What is the severity of CVE-2019-18933?
CVE-2019-18933 has a severity rating of 9.8, which is considered critical.
How does CVE-2019-18933 impact Zulip Server?
CVE-2019-18933 allows users who registered their account using social authentication to have their personal API key stolen if their organization allows password authentication as well.
How can I fix CVE-2019-18933?
To fix CVE-2019-18933, upgrade your Zulip Server installation to version 2.0.7 or later.
Where can I find more information about CVE-2019-18933?
You can find more information about CVE-2019-18933 in the Zulip blog post and GitHub commit referenced in the vulnerability description.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/author
- agent/remedy
- agent/tags
- agent/event
- agent/description
- agent/first-publish-date
- vendor/zulip
- canonical/zulip zulip server
- version/zulip zulip server/1.7.0