nvd-json-data-feeds/CVE-2024/CVE-2024-272xx/CVE-2024-27286.json

{
  "id": "CVE-2024-27286",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-03-20T20:15:08.407",
  "lastModified": "2024-03-21T12:58:51.093",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Zulip is an open-source team collaboration. When a user moves a Zulip message, they have the option to move all messages in the topic, move only subsequent messages as well, or move just a single message.  If the user chose to just move one message, and was moving it from a public stream to a private stream, Zulip would successfully move the message, -- but active users who did not have access to the private stream, but whose client had already received the message, would continue to see the message in the public stream until they reloaded their client.  Additionally, Zulip did not remove view permissions on the message from recently-active users, allowing the message to show up in the \"All messages\" view or in search results, but not in \"Inbox\" or \"Recent conversations\" views. While the bug has been present since moving messages between streams was first introduced in version 3.0, this option became much more common starting in Zulip 8.0, when the default option in the picker for moving the very last message in a conversation was changed. This issue is fixed in Zulip Server 8.3. No known workarounds are available."
    },
    {
      "lang": "es",
      "value": "Zulip es una colaboraci\u00f3n en equipo de c\u00f3digo abierto. Cuando un usuario mueve un mensaje de Zulip, tiene la opci\u00f3n de mover todos los mensajes del tema, mover tambi\u00e9n solo los mensajes posteriores o mover solo un mensaje. Si el usuario elige mover solo un mensaje y lo mueve de una transmisi\u00f3n p\u00fablica a una privada, Zulip mover\u00eda exitosamente el mensaje, pero los usuarios activos que no ten\u00edan acceso a la transmisi\u00f3n privada, pero cuyo cliente ya lo hab\u00eda hecho. recibido el mensaje, continuar\u00eda viendo el mensaje en la transmisi\u00f3n p\u00fablica hasta que recargaran su cliente. Adem\u00e1s, Zulip no elimin\u00f3 los permisos de visualizaci\u00f3n del mensaje de los usuarios activos recientemente, lo que permiti\u00f3 que el mensaje apareciera en la vista \"Todos los mensajes\" o en los resultados de b\u00fasqueda, pero no en las vistas \"Bandeja de entrada\" o \"Conversaciones recientes\". Si bien el error ha estado presente desde que se introdujo por primera vez el movimiento de mensajes entre transmisiones en la versi\u00f3n 3.0, esta opci\u00f3n se volvi\u00f3 mucho m\u00e1s com\u00fan a partir de Zulip 8.0, cuando se cambi\u00f3 la opci\u00f3n predeterminada en el selector para mover el \u00faltimo mensaje de una conversaci\u00f3n. Este problema se solucion\u00f3 en Zulip Server 8.3. No hay workarounds disponibles. "
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/zulip/zulip/commit/3db1733310ddd944c2e690ba673232345c928eec",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/zulip/zulip/security/advisories/GHSA-478x-rfqr-w4jf",
      "source": "security-advisories@github.com"
    }
  ]
}