A vulnerability has been found in Zulip Server up to 1.7.0 and classified as critical. Affected by this vulnerability is some unknown functionality of the component Invitation System. The manipulation with an unknown input leads to a improper authentication vulnerability (User). The CWE definition for the vulnerability is CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm.

The bug was discovered 11/23/2017. The weakness was presented 11/27/2017 (Website). The advisory is shared at blog.zulip.org. This vulnerability is known as CVE-2017-0910 since 11/30/2016. The attack can be launched remotely. A single authentication is required for exploitation. Neither technical details nor an exploit are publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 4 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 1.7.1 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• Zulip

Name

• Server

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 1.6
• 1.7

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion