CVE-2021-30478 - OpenCVE

An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Zulip	Zulip Server

Configuration 1 [-]

cpe:2.3:a:zulip:zulip_server:*:*:*:*:*:*:*:*

References

Link	Resource
https://blog.zulip.com/2021/04/14/zulip-server-3-4/	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-04-14T23:47:27

Updated: 2021-04-14T23:47:27

Reserved: 2021-04-09T00:00:00

Link: CVE-2021-30478

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-04-15T00:15:13.107

Modified: 2022-07-12T17:42:04.277

Link: CVE-2021-30478

JSON object: View

Redhat Information

No data.

CWE

CWE-269

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zulip:zulip_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "09622761-7CB9-4FD7-82B0-B80CD94D296D", "versionEndExcluding": "3.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Zulip Server versiones anteriores a 3.4. Un bug en la implementaci\u00f3n del permiso can_forge_sender (anteriormente es_api_super_user) hizo a unos usuarios con este permiso pudieran enviar mensajes que parec\u00edan enviados por un bot del sistema, inclusive a otras organizaciones alojadas por la misma instalaci\u00f3n de Zulip"}], "id": "CVE-2021-30478", "lastModified": "2022-07-12T17:42:04.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-15T00:15:13.107", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://blog.zulip.com/2021/04/14/zulip-server-3-4/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}