github - ghsa-435h-5vch-xh86

ghsa-435h-5vch-xh86

Vulnerability from github

Published

2022-05-13 01:38

Modified

2022-05-13 01:38

Severity ?

4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to join. The issue affects all previously released versions of the Zulip server.

Show details on source website

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-0881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-28T02:59:00Z",
    "severity": "MODERATE"
  },
  "details": "An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to join. The issue affects all previously released versions of the Zulip server.",
  "id": "GHSA-435h-5vch-xh86",
  "modified": "2022-05-13T01:38:28Z",
  "published": "2022-05-13T01:38:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0881"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zulip/zulip/commit/7ecda1ac8e26d8fb3725e954b2dc4723dda2255f"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/d/msg/zulip-announce/VyawgRuoY34/NTBwnTArGwAJ"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97159"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2017-0881 (GCVE-0-2017-0881)

Vulnerability from cvelistv5

Published

2017-03-28 02:46

Modified

2024-08-05 13:18

Severity ?

CWE

CWE-200 - Information Exposure ()

Summary

An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to join. The issue affects all previously released versions of the Zulip server.

References

►

URL

Tags

	http://www.securityfocus.com/bid/97159	vdb-entry, x_refsource_BID
	https://groups.google.com/d/msg/zulip-announce/VyawgRuoY34/NTBwnTArGwAJ	x_refsource_MISC
	https://github.com/zulip/zulip/commit/7ecda1ac8e26d8fb3725e954b2dc4723dda2255f	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Zulip Server Versions 1.4.2 and below	Version: Zulip Server Versions 1.4.2 and below

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:18:06.509Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "97159",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97159"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/d/msg/zulip-announce/VyawgRuoY34/NTBwnTArGwAJ"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/zulip/zulip/commit/7ecda1ac8e26d8fb3725e954b2dc4723dda2255f"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Zulip Server Versions 1.4.2 and below",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Zulip Server Versions 1.4.2 and below"
            }
          ]
        }
      ],
      "datePublic": "2017-03-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to join. The issue affects all previously released versions of the Zulip server."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "Information Exposure (CWE-200)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-03-29T09:57:01",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "name": "97159",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97159"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/d/msg/zulip-announce/VyawgRuoY34/NTBwnTArGwAJ"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zulip/zulip/commit/7ecda1ac8e26d8fb3725e954b2dc4723dda2255f"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2017-0881",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Zulip Server Versions 1.4.2 and below",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Zulip Server Versions 1.4.2 and below"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to join. The issue affects all previously released versions of the Zulip server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Exposure (CWE-200)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "97159",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97159"
            },
            {
              "name": "https://groups.google.com/d/msg/zulip-announce/VyawgRuoY34/NTBwnTArGwAJ",
              "refsource": "MISC",
              "url": "https://groups.google.com/d/msg/zulip-announce/VyawgRuoY34/NTBwnTArGwAJ"
            },
            {
              "name": "https://github.com/zulip/zulip/commit/7ecda1ac8e26d8fb3725e954b2dc4723dda2255f",
              "refsource": "MISC",
              "url": "https://github.com/zulip/zulip/commit/7ecda1ac8e26d8fb3725e954b2dc4723dda2255f"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2017-0881",
    "datePublished": "2017-03-28T02:46:00",
    "dateReserved": "2016-11-30T00:00:00",
    "dateUpdated": "2024-08-05T13:18:06.509Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.