Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously.
As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6.
This issue has been patched in version 11.6.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
References 4
https://github.com/zulip/zulip/commit/3c045414299680b9f5dca7d76cf6cef6121c0236
security-advisories@github.com
https://github.com/zulip/zulip/commit/41e23347b5218b3b0397a55176c7d97396735bae
security-advisories@github.com
https://github.com/zulip/zulip/releases/tag/11.6
security-advisories@github.com
https://github.com/zulip/zulip/security/advisories/GHSA-f47p-xjqq-g28w
security-advisories@github.com