{"uuid": "0adea60f-ed03-4ee6-831d-303981ca0582", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-31168", "type": "seen", "source": "https://t.me/cibsecurity/46792", "content": "\u203c CVE-2022-31168 \u203c\n\nZulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don\u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u201e\u00a2t own any bots, and lack permission to create them, can\u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u201e\u00a2t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-07-22T16:19:14.000000Z"}