Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Non-constant-time SCIM token comparison in Zulip Server
Vulnerability Description
Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity Management(SCIM) account management enabled, Zulip Server 5.0 through 5.6 checked the SCIM bearer token using a comparator that did not run in constant time. Therefore, it might theoretically be possible for an attacker to infer the value of the token by performing a sophisticated timing analysis on a large number of failing requests. If successful, this would allow the attacker to impersonate the SCIM client for its abilities to read and update user accounts in the Zulip organization. Organizations where SCIM account management has not been enabled are not affected.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Zulip 信息泄露漏洞
Vulnerability Description
Zulip是美国Zulip公司的一款功能强大的开源群聊应用程序。用于将实时聊天的即时性与线程对话的生产力优势相结合。 Zulip 5.0至5.6版本存在信息泄露漏洞,该漏洞源于其使用一个没有在固定时间运行的比较器检查SCIM承载令牌导致攻击者可以通过对大量失败的请求执行复杂的时间分析来推断令牌的值。如果成功,攻击者就可以模拟SCIM客户端来读取和更新Zulip组织中的用户帐户。
CVSS Information
N/A
Vulnerability Type
N/A