{"vulnerability": "CVE-2022-31168", "sightings": [{"uuid": "53910eb2-86a8-48b6-9151-544b4517984a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-31168", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/13100", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-31168\n\ud83d\udd25 CVSS Score: 5.4 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)\n\ud83d\udd39 Description: Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don\u2019t own any bots, and lack permission to create them, can\u2019t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots.\n\ud83d\udccf Published: 2022-07-22T13:05:12.000Z\n\ud83d\udccf Modified: 2025-04-23T17:57:19.812Z\n\ud83d\udd17 References:\n1. https://github.com/zulip/zulip/security/advisories/GHSA-c3cp-ggg5-9xw5\n2. https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034\n3. https://github.com/zulip/zulip/releases/tag/5.5", "creation_timestamp": "2025-04-23T18:05:39.000000Z"}, {"uuid": "0adea60f-ed03-4ee6-831d-303981ca0582", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-31168", "type": "seen", "source": "https://t.me/cibsecurity/46792", "content": "\u203c CVE-2022-31168 \u203c\n\nZulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don\u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u201e\u00a2t own any bots, and lack permission to create them, can\u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u201e\u00a2t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to administrators only, and change the ownership of existing bots.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-07-22T16:19:14.000000Z"}]}