CVE-2022-31134: Zulip Server public data export contains attachments that are non-public

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-31134

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Zulip Server public data export contains attachments that are non-public

Source: NVD (National Vulnerability Database)

Vulnerability Description

Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to administrators, in many configurations server administrators are not expected to have access to private messages and private streams. However, the "public data" export which administrators could generate contained the attachment contents for all attachments, even those from private messages and streams. Zulip Server version 5.4 contains a patch for this issue.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

信息暴露

Source: NVD (National Vulnerability Database)

Vulnerability Title

Zulip 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Zulip是Zulip团队的一款功能强大的开源群聊应用程序。用于将实时聊天的即时性与线程对话的生产力优势相结合。 Zulip Server 2.1.0 以上版本存在代码问题漏洞，该漏洞源于公共导出代码中的错误，公共数据的导出包含所有上传的文件包括来自私人消息和私人流的文件。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
zulip	zulip	>= 2.1.0, < 5.4	-

II. Public POCs for CVE-2022-31134

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2022-31134

Please Login to view more intelligence information

https://blog.zulip.com/2022/07/12/zulip-cloud-data-exportsx_refsource_MISC
https://github.com/zulip/zulip/security/advisories/GHSA-58pm-88xp-7x9mx_refsource_CONFIRM
https://blog.zulip.com/2022/07/12/zulip-server-5-4-security-releasex_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2022-31134

IV. Related Vulnerabilities

Same product: zulip

Same vendor: zulip

Same weakness: CWE-200

V. Comments for CVE-2022-31134

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2022-31134

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2022-31134

III. Intelligence Information for CVE-2022-31134

IV. Related Vulnerabilities

V. Comments for CVE-2022-31134

Leave a comment