CVE-2017-0896 (GCVE-0-2017-0896)
Vulnerability from cvelistv5
Published
2017-06-02 17:00
Modified
2024-08-05 13:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization ()
Summary
Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured to prevent this.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Zulip | Zulip Server |
Version: 1.5.1 and below |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:16.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[zulip-announce] 20170601 Zulip Server 1.5.2 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/224210"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Zulip Server",
"vendor": "Zulip",
"versions": [
{
"status": "affected",
"version": "1.5.1 and below"
}
]
}
],
"datePublic": "2017-06-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured to prevent this."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization (CWE-285)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-02T16:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"name": "[zulip-announce] 20170601 Zulip Server 1.5.2 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/224210"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0896",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zulip Server",
"version": {
"version_data": [
{
"version_value": "1.5.1 and below"
}
]
}
}
]
},
"vendor_name": "Zulip"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured to prevent this."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization (CWE-285)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[zulip-announce] 20170601 Zulip Server 1.5.2 released",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/#!msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ"
},
{
"name": "https://hackerone.com/reports/224210",
"refsource": "MISC",
"url": "https://hackerone.com/reports/224210"
},
{
"name": "https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b",
"refsource": "MISC",
"url": "https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0896",
"datePublished": "2017-06-02T17:00:00",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-08-05T13:25:16.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2017-0896\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2017-06-02T17:29:00.167\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured to prevent this.\"},{\"lang\":\"es\",\"value\":\"Zulip Server versi\u00f3n 1.5.1 y posteriores, sufre de un error en la implementaci\u00f3n de la configuraci\u00f3n de invite_by_admins_only en el servidor de aplicaciones de chat del grupo Zulip que permiti\u00f3 a un usuario autenticado invitar a otros usuarios a unirse a una organizaci\u00f3n Zulip, incluso si la organizaci\u00f3n fue configurada para evitar esto.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"03ECA4CD-B128-45EA-8A19-5F137BD08690\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0609969D-7C68-4428-A2F3-EA532F6C4045\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6141BC81-A452-44F0-9A61-B82772D406FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3662F33-CC19-46AE-902F-2A685030FDE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A20311C-FC51-4ED5-BCBC-955543FD1AF5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4CC0654-4F8C-4D1B-B06F-035368E7B120\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"13048A35-82DA-45AF-BB3C-AEBD1A80734B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BE689D6F-F774-41AF-B97A-23973E22C9C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7C300421-CBDE-4DC2-A41E-38AFDD498725\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"08DE09CC-3869-4686-A36D-F42788FC7118\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A6AAE8C-F5E6-4A9C-9AF1-0D03EB9A7E97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"612DA887-F6BC-45F8-B187-AE23CF2F1027\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.3.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A21AE1B1-5A7E-447A-9301-1AD965F04833\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"034098C9-DCC3-46CC-9534-811F28F4493D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EA56546E-7E0A-49EB-967A-7219C907BE50\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2CF03C39-6873-4044-96B8-760156D7B1BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.4.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A0167E36-42E4-4DA5-96FB-CFF0EC8FDA38\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3914FE1E-E734-4B4A-8266-25FB5C32800D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zulip:zulip_server:1.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B25BEDD5-B562-4A2E-8284-07A47CB1F6D3\"}]}]}],\"references\":[{\"url\":\"https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b\",\"source\":\"support@hackerone.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ\",\"source\":\"support@hackerone.com\"},{\"url\":\"https://hackerone.com/reports/224210\",\"source\":\"support@hackerone.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://hackerone.com/reports/224210\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…