CVE-2022-36048 - OpenCVE

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer’s IP address and browser fingerprinting information. This vulnerability is fixed in Zulip Server 5.6. Zulip organizations with image and link previews [disabled](https://zulip.com/help/allow-image-link-previews) are not affected.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zulip	Zulip

Configuration 1 [-]

cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-08-31T19:15:11

Updated: 2024-08-03T09:52:00.508Z

Reserved: 2022-07-15T00:00:00

Link: CVE-2022-36048

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-31T20:15:08.813

Modified: 2022-09-08T14:17:36.757

Link: CVE-2022-36048

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "zulip", "vendor": "zulip", "versions": [{"status": "affected", "version": "< 5.6"}]}], "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer\u2019s IP address and browser fingerprinting information. This vulnerability is fixed in Zulip Server 5.6. Zulip organizations with image and link previews [disabled](https://zulip.com/help/allow-image-link-previews) are not affected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-31T19:15:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452"}], "source": {"advisory": "GHSA-vg5m-mf9x-j452", "discovery": "UNKNOWN"}, "title": "IP address leak via image proxy bypass in Zulip Server", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36048", "STATE": "PUBLIC", "TITLE": "IP address leak via image proxy bypass in Zulip Server"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "zulip", "version": {"version_data": [{"version_value": "< 5.6"}]}}]}, "vendor_name": "zulip"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer\u2019s IP address and browser fingerprinting information. This vulnerability is fixed in Zulip Server 5.6. Zulip organizations with image and link previews [disabled](https://zulip.com/help/allow-image-link-previews) are not affected."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-436: Interpretation Conflict"}]}]}, "references": {"reference_data": [{"name": "https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452", "refsource": "CONFIRM", "url": "https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452"}]}, "source": {"advisory": "GHSA-vg5m-mf9x-j452", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.508Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36048", "datePublished": "2022-08-31T19:15:11", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:52:00.508Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*", "matchCriteriaId": "22D5894B-5893-44F5-AFF3-8DCB4D476E53", "versionEndExcluding": "5.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer\u2019s IP address and browser fingerprinting information. This vulnerability is fixed in Zulip Server 5.6. Zulip organizations with image and link previews [disabled](https://zulip.com/help/allow-image-link-previews) are not affected."}, {"lang": "es", "value": "Zulip es una herramienta de colaboraci\u00f3n en equipo de c\u00f3digo abierto con hilos basados en temas que combinan el correo electr\u00f3nico y el chat. Cuando muestra mensajes con im\u00e1genes remotas insertadas, Zulip normalmente carga la vista previa de la imagen por medio de un servidor proxy go-camo. Sin embargo, un atacante que pueda enviar mensajes podr\u00eda incluir una URL dise\u00f1ada que enga\u00f1e al servidor para que inserte una referencia de imagen remota directamente. Esto podr\u00eda permitir al atacante inferir la direcci\u00f3n IP del espectador y la informaci\u00f3n de las huellas del navegador. Esta vulnerabilidad ha sido corregido en Zulip Server versi\u00f3n 5.6. Las organizaciones de Zulip con vistas previas de im\u00e1genes y enlaces [deshabilitadas] (https://zulip.com/help/allow-image-link-previews) no est\u00e1n afectadas"}], "id": "CVE-2022-36048", "lastModified": "2022-09-08T14:17:36.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-08-31T20:15:08.813", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-436"}], "source": "security-advisories@github.com", "type": "Primary"}]}