admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-12-30 05:58:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add CVE-2022-41914 for GHSA-q5gx-377v-w76f

Browse Source 
Add CVE-2022-41914 for GHSA-q5gx-377v-w76f
This commit is contained in:
advisory-database[bot] 2022-11-16 19:38:07 +00:00 committed by GitHub
parent ef668ae0e3
commit 763ac71dff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 76 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
2022/41xxx/CVE-2022-41914.json
View File

@ -1,18 +1,88 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-41914",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Non-constant-time SCIM token comparison in Zulip Server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "zulip",
"version": {
"version_data": [
{
"version_value": ">= 5.0, < 5.7"
}
]
}
}
]
},
"vendor_name": "zulip"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity Management(SCIM) account management enabled, Zulip Server 5.0 through 5.6 checked the SCIM bearer token using a comparator that did not run in constant time. Therefore, it might theoretically be possible for an attacker to infer the value of the token by performing a sophisticated timing analysis on a large number of failing requests. If successful, this would allow the attacker to impersonate the SCIM client for its abilities to read and update user accounts in the Zulip organization. Organizations where SCIM account management has not been enabled are not affected."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/zulip/zulip/security/advisories/GHSA-q5gx-377v-w76f",
"refsource": "CONFIRM",
"url": "https://github.com/zulip/zulip/security/advisories/GHSA-q5gx-377v-w76f"
},
{
"name": "https://github.com/zulip/zulip/commit/59edbfa4113d140d3e20126bc65f4d67b2a8ffe5",
"refsource": "MISC",
"url": "https://github.com/zulip/zulip/commit/59edbfa4113d140d3e20126bc65f4d67b2a8ffe5"
}
]
},
"source": {
"advisory": "GHSA-q5gx-377v-w76f",
"discovery": "UNKNOWN"
}
}