CVE-2021-41115 Information

Description

Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure \linkifiers\ that automatically create links from messages that users send detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply by configuring a quadratic-time regular expression in a linkifier and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS – this was both insufficient as well as itself subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex. Affected users should upgrade to the just-released Zulip 4.7 or main.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Reference

https://github.com/zulip/zulip/security/advisories/GHSA-4h36-mqfq-42jg https://securitylab.github.com/advisories/GHSL-2021-118-zulip-zulip/ https://github.com/zulip/zulip/commit/e2d303c1bb5f538d17dc3d9134bc8858bdece781

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

6.5