Executive Summary

Informations
Name CVE-2023-32677 First vendor Publication 2023-05-19
Vendor Cve Last vendor Modification 2023-05-26

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Overall CVSS Score 3.1
Base Score 3.1 Environmental Score 3.1
impact SubScore 1.4 Temporal Score 3.1
Exploitabality Sub Score 1.6
 
Attack Vector Network Attack Complexity High
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact Low
Integrity Impact None Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows a user to invite a new user also allows them to set the streams that the new user is invited to -- even if the inviting user would not have permissions to add an existing user to streams. While such a configuration is likely rare in practice, the behavior does violate security-related controls. This does not let a user invite new users to streams they cannot see, or would not be able to add users to if they had that general permission. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may limit sending of invitations down to users who also have the permission to add users to streams.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32677

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3

Sources (Detail)

Source Url
MISC https://github.com/zulip/zulip/commit/7c2693a2c64904d1d0af8503b57763943648cbe5
https://github.com/zulip/zulip/security/advisories/GHSA-mrvp-96q6-jpvc
https://zulip.com/help/configure-who-can-invite-to-streams
https://zulip.com/help/restrict-account-creation#change-who-can-send-invitations

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2023-05-26 21:27:18
  • Multiple Updates
2023-05-20 17:27:19
  • Multiple Updates
2023-05-20 00:27:15
  • First insertion