CVE-2024-56136
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-56136
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56136.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-56136
- Aliases
-
- GHSA-5xg8-xhfj-4hm6
- Published
- 2025-01-16T19:25:33.261Z
- Modified
- 2025-12-05T07:35:25.638483Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- /api/v1/jwt/fetch_api_key endpoint can leak if an email address has an account in Zulip server
- Details
-
Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and determine if an email address is in use by a user. Zulip Server 9.4 resolves the issue, as does the
mainbranch of Zulip Server. Users are advised to upgrade. There are no known workarounds for this issue. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-200" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56136.json" }- References