First published: Fri Jul 22 2022(Updated: )
Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Zulip Zulip | <5.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-31168 is a vulnerability in Zulip Server 5.4 and earlier that allows a member of an organization to gain administrator privileges for one of their bots through a crafted API call.
CVE-2022-31168 has a severity rating of 8.8 (high).
Zulip Server versions up to and excluding 5.5 are affected by CVE-2022-31168.
To fix CVE-2022-31168, upgrade to Zulip Server 5.5 or a later version.
You can find more information about CVE-2022-31168 at the following references: [GitHub Commit](https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034), [Zulip Server 5.5 Release](https://github.com/zulip/zulip/releases/tag/5.5), [GitHub Security Advisories](https://github.com/zulip/zulip/security/advisories/GHSA-c3cp-ggg5-9xw5).