References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-862

https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236

https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae

https://github.com/zulip/zulip/releases/tag/11.6

https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w