CVE-2021-43791
First published: Thu Dec 02 2021(Updated: )
Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check_prereg_key_and_redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check_prereg_key_and_redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zulip Zulip | <4.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-43791?
The severity of CVE-2021-43791 is medium with a CVSS score of 5.3.
How does CVE-2021-43791 affect Zulip?
CVE-2021-43791 affects Zulip versions up to 4.8.
What is the CWE category of CVE-2021-43791?
The CWE category of CVE-2021-43791 is CWE-613.
How can I fix CVE-2021-43791 in Zulip?
To fix CVE-2021-43791 in Zulip, update to a version higher than 4.8.
Where can I find more information about CVE-2021-43791?
You can find more information about CVE-2021-43791 on the official GitHub page and the security advisories page of Zulip.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- vendor/zulip
- canonical/zulip zulip