CVE-2022-36048

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer’s IP address and browser fingerprinting information. This vulnerability is fixed in Zulip Server 5.6. Zulip organizations with image and link previews [disabled](https://zulip.com/help/allow-image-link-previews) are not affected.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*

History

08 Sep 2022, 14:17

Type	Values Removed	Values Added
References	~~(CONFIRM) https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452 -~~	(CONFIRM) https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
First Time		Zulip zulip Zulip
CPE		cpe:2.3:a:zulip:zulip::::::::

31 Aug 2022, 21:12

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-08-31 20:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-36048

Mitre link : CVE-2022-36048

CVE.ORG link : CVE-2022-36048

JSON object : View

Products Affected

zulip

zulip

CWE

CWE-436

Interpretation Conflict

{"id": "CVE-2022-36048", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-08-31T20:15:08.813", "references": [{"url": "https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-436"}]}], "descriptions": [{"lang": "en", "value": "Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer\u2019s IP address and browser fingerprinting information. This vulnerability is fixed in Zulip Server 5.6. Zulip organizations with image and link previews [disabled](https://zulip.com/help/allow-image-link-previews) are not affected."}, {"lang": "es", "value": "Zulip es una herramienta de colaboraci\u00f3n en equipo de c\u00f3digo abierto con hilos basados en temas que combinan el correo electr\u00f3nico y el chat. Cuando muestra mensajes con im\u00e1genes remotas insertadas, Zulip normalmente carga la vista previa de la imagen por medio de un servidor proxy go-camo. Sin embargo, un atacante que pueda enviar mensajes podr\u00eda incluir una URL dise\u00f1ada que enga\u00f1e al servidor para que inserte una referencia de imagen remota directamente. Esto podr\u00eda permitir al atacante inferir la direcci\u00f3n IP del espectador y la informaci\u00f3n de las huellas del navegador. Esta vulnerabilidad ha sido corregido en Zulip Server versi\u00f3n 5.6. Las organizaciones de Zulip con vistas previas de im\u00e1genes y enlaces [deshabilitadas] (https://zulip.com/help/allow-image-link-previews) no est\u00e1n afectadas"}], "lastModified": "2022-09-08T14:17:36.757", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zulip:zulip:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22D5894B-5893-44F5-AFF3-8DCB4D476E53", "versionEndExcluding": "5.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}