Skip to content

IP address leak via image proxy bypass in Zulip Server

Moderate
andersk published GHSA-vg5m-mf9x-j452 Aug 24, 2022

Package

Zulip Server (Application)

Affected versions

< 5.6

Patched versions

5.6

Description

Impact

When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer’s IP address and browser fingerprinting information.

Patches

This vulnerability is fixed in Zulip Server 5.6.

Workarounds

Zulip organizations with image and link previews disabled are not affected.

References

https://blog.zulip.com/2022/08/24/zulip-server-5-6-security-release/

For more information

If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2022-36048

Weaknesses