{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-47642", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-07T16:57:49.245Z", "datePublished": "2023-11-16T21:41:46.646Z", "dateUpdated": "2024-08-29T14:49:20.515Z"}, "containers": {"cna": {"title": "Stream description leaks to ex-subscribers in Zulip", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zulip/zulip/security/advisories/GHSA-c9wc-65fh-9x8p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-c9wc-65fh-9x8p"}, {"name": "https://github.com/zulip/zulip/commit/6336322d2f9bbccaacfc80cba83a3c62eefd5737", "tags": ["x_refsource_MISC"], "url": "https://github.com/zulip/zulip/commit/6336322d2f9bbccaacfc80cba83a3c62eefd5737"}], "affected": [{"vendor": "zulip", "product": "zulip", "versions": [{"version": ">= 1.3.0, < 7.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-16T21:41:46.646Z"}, "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. It was discovered by the Zulip development team that active users who had previously been subscribed to a stream incorrectly continued being able to use the Zulip API to access metadata for that stream. As a result, users who had been removed from a stream, but still had an account in the organization, could still view metadata for that stream (including the stream name, description, settings, and an email address used to send emails into the stream via the incoming email integration). This potentially allowed users to see changes to a stream\u2019s metadata after they had lost access to the stream. This vulnerability has been addressed in version 7.5 and all users are advised to upgrade. There are no known workarounds for this issue."}], "source": {"advisory": "GHSA-c9wc-65fh-9x8p", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:16:43.329Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/zulip/zulip/security/advisories/GHSA-c9wc-65fh-9x8p", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-c9wc-65fh-9x8p"}, {"name": "https://github.com/zulip/zulip/commit/6336322d2f9bbccaacfc80cba83a3c62eefd5737", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zulip/zulip/commit/6336322d2f9bbccaacfc80cba83a3c62eefd5737"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-29T14:43:36.650594Z", "id": "CVE-2023-47642", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T14:49:20.515Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-47642", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-07T16:57:49.245Z", "datePublished": "2023-11-16T21:41:46.646Z", "dateUpdated": "2024-08-29T14:49:20.515Z"}, "containers": {"cna": {"title": "Stream description leaks to ex-subscribers in Zulip", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zulip/zulip/security/advisories/GHSA-c9wc-65fh-9x8p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-c9wc-65fh-9x8p"}, {"name": "https://github.com/zulip/zulip/commit/6336322d2f9bbccaacfc80cba83a3c62eefd5737", "tags": ["x_refsource_MISC"], "url": "https://github.com/zulip/zulip/commit/6336322d2f9bbccaacfc80cba83a3c62eefd5737"}], "affected": [{"vendor": "zulip", "product": "zulip", "versions": [{"version": ">= 1.3.0, < 7.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-16T21:41:46.646Z"}, "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. It was discovered by the Zulip development team that active users who had previously been subscribed to a stream incorrectly continued being able to use the Zulip API to access metadata for that stream. As a result, users who had been removed from a stream, but still had an account in the organization, could still view metadata for that stream (including the stream name, description, settings, and an email address used to send emails into the stream via the incoming email integration). This potentially allowed users to see changes to a stream\u2019s metadata after they had lost access to the stream. This vulnerability has been addressed in version 7.5 and all users are advised to upgrade. There are no known workarounds for this issue."}], "source": {"advisory": "GHSA-c9wc-65fh-9x8p", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:16:43.329Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/zulip/zulip/security/advisories/GHSA-c9wc-65fh-9x8p", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-c9wc-65fh-9x8p"}, {"name": "https://github.com/zulip/zulip/commit/6336322d2f9bbccaacfc80cba83a3c62eefd5737", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zulip/zulip/commit/6336322d2f9bbccaacfc80cba83a3c62eefd5737"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-47642", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-29T14:43:36.650594Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T14:49:14.993Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zulip:zulip_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "90D94B75-D1FD-4045-AA53-F03EE0DFD781", "versionEndExcluding": "7.5", "versionStartIncluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool. It was discovered by the Zulip development team that active users who had previously been subscribed to a stream incorrectly continued being able to use the Zulip API to access metadata for that stream. As a result, users who had been removed from a stream, but still had an account in the organization, could still view metadata for that stream (including the stream name, description, settings, and an email address used to send emails into the stream via the incoming email integration). This potentially allowed users to see changes to a stream\u2019s metadata after they had lost access to the stream. This vulnerability has been addressed in version 7.5 and all users are advised to upgrade. There are no known workarounds for this issue."}, {"lang": "es", "value": "Zulip es una herramienta de colaboraci\u00f3n en equipo de c\u00f3digo abierto. El equipo de desarrollo de Zulip descubri\u00f3 que los usuarios activos que previamente se hab\u00edan suscrito a una transmisi\u00f3n incorrectamente segu\u00edan pudiendo usar la API de Zulip para acceder a los metadatos de esa transmisi\u00f3n. Como resultado, los usuarios que hab\u00edan sido eliminados de una transmisi\u00f3n, pero que a\u00fan ten\u00edan una cuenta en la organizaci\u00f3n, a\u00fan pod\u00edan ver los metadatos de esa transmisi\u00f3n (incluido el nombre de la transmisi\u00f3n, la descripci\u00f3n, la configuraci\u00f3n y una direcci\u00f3n de correo electr\u00f3nico utilizada para enviar correos electr\u00f3nicos a la transmisi\u00f3n). A trav\u00e9s de la integraci\u00f3n de correo electr\u00f3nico entrante). Esto potencialmente permit\u00eda a los usuarios ver cambios en los metadatos de una transmisi\u00f3n despu\u00e9s de haber perdido el acceso a la misma. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 7.5 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para este problema."}], "id": "CVE-2023-47642", "lastModified": "2023-11-25T02:06:17.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-16T22:15:28.353", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/zulip/zulip/commit/6336322d2f9bbccaacfc80cba83a3c62eefd5737"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/zulip/zulip/security/advisories/GHSA-c9wc-65fh-9x8p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}