Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-28623

Good to know:

icon

Date: May 19, 2023

Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having `Invitations are required for joining this organization` organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the `Invitations are required for joining this organization` organization permission to prevent this issue.

Language: Python

Severity Score

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2023-28623
https://github.com/zulip/zulip/security/advisories/GHSA-7p62-pjwg-56rv
https://github.com/zulip/zulip/commit/3df1b4dd7c210c21deb6f829df19412b74573f8d
https://www.mend.io/vulnerability-database/CVE-2023-28623

Severity Score

Weakness Type (CWE)

Improper Authorization

CWE-285

Missing Authorization

CWE-862

Top Fix

icon

Upgrade Version

Upgrade to version 6.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us