CVE-2022-31168 Zulip is an open source team chat tool. In Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants them administrator privileges.

Zulip teams are encouraged to update their Zulip servers to version 5.5 as soon as possible. An upgrade is simple and quick. Also, be sure to review the steps for updating a Zonpi installation. If you own a bot, or have permission to create bots, and you don’t see any signs of the vulnerability, you can consider this case closed.

What is Zulip?

Zulip is an open-source, free software for teams. Zulip is for everyone, from small groups and individuals to large businesses and institutions. With a powerful yet easy-to-use interface and intuitive plugins, Zulip makes it easy for anyone to create a team chat room on their server.
Some of the features you can expect from Zulip are:
* A friendly user interface that’s easy to use
* Customizable themes
* Full plugin support
* Chat history syncing between servers
* Image sharing through embedded galleries    * Message searching through all conversations Â* Peristent rooms across multiple devices, including mobile phones and tablets
* A built-in web client that works even if your server doesn't have PHP or MySQL installed

What is CVE-2022?

A vulnerability in the Zulip server that can be exploited to cause a denial of service (DoS) attack.

What is Zulip?

Zulip is an open-source group chat application. It's designed for teams of any size - as small as 2 people and as large as hundreds of thousands. It allows users to organize discussions around a shared topic, like a product, company, or project.
Zulip was created because alternatives like Slack became too expensive for most organizations and mediums of communication like email are too complicated when you have a team of people with different preferences. Zulip allows you to create your own private workspace that's completely customizable and has features like file sharing and bots.

Can you confirm if you are vulnerable?

Check your Zulip server version. If it is at 5.5 or above, the vulnerability has been resolved. If you are still unable to upgrade, contact support@zonpi.com for assistance.

Timeline

Published on: 07/22/2022 13:15:00 UTC
Last modified on: 07/29/2022 19:29:00 UTC

References

• https://github.com/zulip/zulip/releases/tag/5.5
• https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034
• https://github.com/zulip/zulip/security/advisories/GHSA-c3cp-ggg5-9xw5
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31168