CVE-2022-31168
First published: Fri Jul 22 2022(Updated: )
Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zulip Zulip | <5.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-31168?
CVE-2022-31168 is a vulnerability in Zulip Server 5.4 and earlier that allows a member of an organization to gain administrator privileges for one of their bots through a crafted API call.
How severe is CVE-2022-31168?
CVE-2022-31168 has a severity rating of 8.8 (high).
Which software versions are affected by CVE-2022-31168?
Zulip Server versions up to and excluding 5.5 are affected by CVE-2022-31168.
How can I fix CVE-2022-31168?
To fix CVE-2022-31168, upgrade to Zulip Server 5.5 or a later version.
Where can I find more information about CVE-2022-31168?
You can find more information about CVE-2022-31168 at the following references: [GitHub Commit](https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034), [Zulip Server 5.5 Release](https://github.com/zulip/zulip/releases/tag/5.5), [GitHub Security Advisories](https://github.com/zulip/zulip/security/advisories/GHSA-c3cp-ggg5-9xw5).
- collector/nvd-index
- vendor/zulip
- canonical/zulip zulip