Home > Vulnerability Database > CVE-2022-31168

Mend.io Vulnerability Database

CVE-2022-31168

Good to know:

Date: July 22, 2022

Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who donâ€™t own any bots, and lack permission to create them, canâ€™t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots.

Language: Python

Severity Score

8.8

Related Resources (5)

Url: https://github.com/zulip/zulip/security/advisories/GHSA-c3cp-ggg5-9xw5

Url: https://github.com/zulip/zulip/releases/tag/5.5

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-31168

Url: https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034

Url: https://www.mend.io/vulnerability-database/CVE-2022-31168

Severity Score

8.8

Weakness Type (CWE)

Improper Authorization

CWE-285

Incorrect Authorization

CWE-863

Top Fix

Upgrade Version

Upgrade to version 5.5

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-31168

Good to know:

Date: July 22, 2022

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?