First published: Thu Nov 21 2019(Updated: )
In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zulip Zulip Server | >=1.7.0<2.0.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-18933 is a vulnerability in Zulip Server versions from 1.7.0 to before 2.0.7.
CVE-2019-18933 has a severity rating of 9.8, which is considered critical.
CVE-2019-18933 allows users who registered their account using social authentication to have their personal API key stolen if their organization allows password authentication as well.
To fix CVE-2019-18933, upgrade your Zulip Server installation to version 2.0.7 or later.
You can find more information about CVE-2019-18933 in the Zulip blog post and GitHub commit referenced in the vulnerability description.