Skip to content

Unauthorized user can register an account in specific configurations involving LDAP and another external authentication backend

High
alexmv published GHSA-7p62-pjwg-56rv May 19, 2023

Package

Zulip

Affected versions

2.1.0 through 6.1

Patched versions

6.2

Description

Impact

If:

  • ZulipLDAPAuthBackend and an external authentication backend (any aside of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py
  • The organization permissions don't require invitations to join

An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory.

The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having Invitations are required for joining this organization organization permission disabled.

Workaround

Enabling Invitations are required for joining this organization organization permission prevents this issue.

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2023-28623

Weaknesses