Headline
CVE-2023-28623: CVE-2023-28623: Prevent unauthorized signup with ldap + external auth. · zulip/zulip@3df1b4d
Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: ZulipLDAPAuthBackend and an external authentication backend (any aside of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py and 2: The organization permissions don’t require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that’s not in the organization’s LDAP directory. The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having Invitations are required for joining this organization organization permission disabled. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may enable the Invitations are required for joining this organization organization permission to prevent this issue.
Permalink
Browse files
Browse the repository at this point in the history
CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.
Since 74dd21c in Zulip Server 2.1.0, if:
- ZulipLDAPAuthBackend and an external authentication backend (any aside of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py
- The organization permissions don’t require invitations to join
…then an attacker can create a new account in the organization with an arbitrary email address in their control that’s not in the organization’s LDAP directory.
The impact is limited to installations which have the specific combination of authentication backends described above, in addition to having the “Invitations are required for joining this organization organization” permission disabled.
- Loading branch information