{"containers": {"cna": {"affected": [{"product": "zulip", "vendor": "zulip", "versions": [{"status": "affected", "version": ">= 4.0, < 4.11"}]}], "descriptions": [{"lang": "en", "value": "Zulip is an open source group chat application. Starting with version 4.0 and prior to version 4.11, Zulip is vulnerable to a race condition during account deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the deactivated user. A patch is available in version 4.11 on the 4.x branch and version 5.0-rc1 on the 5.x branch. Upgrading to a fixed version will, as a side effect, deactivate any cached sessions that may have been leaked through this bug. There are currently no known workarounds."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-16T13:30:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-6v98-m5x5-phqj"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zulip/zulip/commit/62ba8e455d8f460001d9fb486a6dabfd1ed67717"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zulip/zulip/commit/e6eace307ef435eec3395c99247155efed9219e4"}], "source": {"advisory": "GHSA-6v98-m5x5-phqj", "discovery": "UNKNOWN"}, "title": "Race condition in Zulip", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24751", "STATE": "PUBLIC", "TITLE": "Race condition in Zulip"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "zulip", "version": {"version_data": [{"version_value": ">= 4.0, < 4.11"}]}}]}, "vendor_name": "zulip"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Zulip is an open source group chat application. Starting with version 4.0 and prior to version 4.11, Zulip is vulnerable to a race condition during account deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the deactivated user. A patch is available in version 4.11 on the 4.x branch and version 5.0-rc1 on the 5.x branch. Upgrading to a fixed version will, as a side effect, deactivate any cached sessions that may have been leaked through this bug. There are currently no known workarounds."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/zulip/zulip/security/advisories/GHSA-6v98-m5x5-phqj", "refsource": "CONFIRM", "url": "https://github.com/zulip/zulip/security/advisories/GHSA-6v98-m5x5-phqj"}, {"name": "https://github.com/zulip/zulip/commit/62ba8e455d8f460001d9fb486a6dabfd1ed67717", "refsource": "MISC", "url": "https://github.com/zulip/zulip/commit/62ba8e455d8f460001d9fb486a6dabfd1ed67717"}, {"name": "https://github.com/zulip/zulip/commit/e6eace307ef435eec3395c99247155efed9219e4", "refsource": "MISC", "url": "https://github.com/zulip/zulip/commit/e6eace307ef435eec3395c99247155efed9219e4"}]}, "source": {"advisory": "GHSA-6v98-m5x5-phqj", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:50.479Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-6v98-m5x5-phqj"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zulip/zulip/commit/62ba8e455d8f460001d9fb486a6dabfd1ed67717"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zulip/zulip/commit/e6eace307ef435eec3395c99247155efed9219e4"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24751", "datePublished": "2022-03-16T13:30:15", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:50.479Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*", "matchCriteriaId": "011572BD-FA58-42D2-AC46-1503D66E31D3", "versionEndExcluding": "4.11", "versionStartIncluding": "4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Zulip is an open source group chat application. Starting with version 4.0 and prior to version 4.11, Zulip is vulnerable to a race condition during account deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the deactivated user. A patch is available in version 4.11 on the 4.x branch and version 5.0-rc1 on the 5.x branch. Upgrading to a fixed version will, as a side effect, deactivate any cached sessions that may have been leaked through this bug. There are currently no known workarounds."}, {"lang": "es", "value": "Zulip es una aplicaci\u00f3n de chat de grupo de c\u00f3digo abierto. A partir de la versi\u00f3n 4.0 y versiones anteriores a 4.11, Zulip es vulnerable a una condici\u00f3n de carrera durante la deshabilitaci\u00f3n de la cuenta, donde un acceso simult\u00e1neo por parte del usuario que est\u00e1 siendo deshabilitado puede, en raros casos, permitir el acceso continuo por parte del usuario deshabilitado. Se presenta un parche disponible en versi\u00f3n 4.11 en la rama 4.x y en versi\u00f3n 5.0-rc1 en la rama 5.x. Una actualizaci\u00f3n a una versi\u00f3n corregida deshabilitar\u00e1, como efecto secundario, cualquier sesi\u00f3n en cach\u00e9 que pueda haberse filtrado mediante este bug. Actualmente no se presentan medidas de mitigaci\u00f3n conocidas"}], "id": "CVE-2022-24751", "lastModified": "2024-11-21T06:51:00.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-16T14:15:08.487", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zulip/zulip/commit/62ba8e455d8f460001d9fb486a6dabfd1ed67717"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zulip/zulip/commit/e6eace307ef435eec3395c99247155efed9219e4"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-6v98-m5x5-phqj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zulip/zulip/commit/62ba8e455d8f460001d9fb486a6dabfd1ed67717"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zulip/zulip/commit/e6eace307ef435eec3395c99247155efed9219e4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-6v98-m5x5-phqj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}