CVE-2021-43791

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-43791
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43791.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-43791
Related
  • GHSA-wj76-pcqr-mf9f
Published
2021-12-02T01:15:07Z
Modified
2025-01-15T02:07:40.628697Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the checkpreregkeyandredirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the checkpreregkeyandredirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible.

References

Affected packages

Git / github.com/zulip/zulip

Affected ranges

Type
GIT
Repo
https://github.com/zulip/zulip
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

1.*

1.3.0
1.3.1
1.3.10
1.3.11
1.3.12
1.3.13
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.8.0-rc1
1.9.0
1.9.0-rc2
1.9.0-rc3

2.*

2.0.0
2.0.0-rc1
2.1-dev
2.1.0
2.1.0-rc1
2.2-dev

3.*

3.0
3.0-dev
3.0-rc1
3.0-rc2

4.*

4.0
4.0-dev

5.*

5.0-dev

enterprise-1.*

enterprise-1.1.5
enterprise-1.2.0

shared-0.*

shared-0.0.1
shared-0.0.2
shared-0.0.3
shared-0.0.4
shared-0.0.5
shared-0.0.6