Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-22735

Zulip is an open-source team collaboration tool. In versions of zulip prior to commit `2f6c5a8` but after commit `04cf68b` users could upload files with arbitrary `Content-Type` which would be served from the Zulip hostname with `Content-Disposition: inline` and no `Content-Security-Policy` header, allowing them to trick other users into executing arbitrary Javascript in the context of the Zulip application. Among other things, this enables session theft. Only deployments which use the S3 storage (not the local-disk storage) are affected, and only deployments which deployed commit 04cf68b45ebb5c03247a0d6453e35ffc175d55da, which has only been in `main`, not any numbered release. Users affected should upgrade from main again to deploy this fix. Switching from S3 storage to the local-disk storage would nominally mitigate this, but is likely more involved than upgrading to the latest `main` which addresses the issue.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 4.4, indicating it can be exploited remotely over the network but requires specific conditions to be met though user interaction is required requiring only low-level privileges . The vulnerability impacts limited data confidentiality, limited integrity, for affected systems. Impacting 1 product from zulip organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2023, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2023-02-07T19:15:09.303

Last Modified

2024-11-21T07:45:19.343

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-436

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	zulip	zulip_server	2023-01-09	Yes

References

https://github.com/zulip/zulip/commit/04cf68b45ebb5c03247a0d6453e35ffc175d55da Product ([email protected])
https://github.com/zulip/zulip/commit/2f6c5a883e106aa82a570d3d1f243993284b70f3 Patch ([email protected])
https://github.com/zulip/zulip/security/advisories/GHSA-wm83-3764-5wqh Patch, Vendor Advisory ([email protected])
https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-from-a-git-repository Not Applicable ([email protected])
https://github.com/zulip/zulip/commit/04cf68b45ebb5c03247a0d6453e35ffc175d55da Product (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zulip/zulip/commit/2f6c5a883e106aa82a570d3d1f243993284b70f3 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zulip/zulip/security/advisories/GHSA-wm83-3764-5wqh Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-from-a-git-repository Not Applicable (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For zulip's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.