CVE-2022-31134 MEDIUM

CVE-2022-31134: Zulip Server public data export contains attachments that are non-public

Vendor Zulip
Product zulip
Weakness CWE-200 · Info exposure
Published July 12, 2022
Last update April 23, 2025

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to administrators, in many configurations server administrators are not expected to have access to private messages and private streams. However, the "public data" export which administrators could generate contained the attachment contents for all attachments, even those from private messages and streams. Zulip Server version 5.4 contains a patch for this issue.

Key dates

02Disclosure timeline

July 12, 2022 CVE published
April 23, 2025 Record updated