Login Sign Up

CVE-2021-3967

8.8 HIGH
Authentication Bypass

📋 TL;DR

This CVE-2021-3967 vulnerability in Zulip allows attackers to bypass access controls and potentially access sensitive data or perform unauthorized actions. It affects all Zulip servers running versions prior to 4.10. The vulnerability stems from improper access control in the GitHub repository zulip/zulip.

💻 Affected Systems

Products:
  • Zulip
Versions: All versions prior to 4.10
Operating Systems: All platforms running Zulip
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Zulip deployments regardless of configuration.

📦 What is this software?

Zulip by Zulip

View all CVEs affecting Zulip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive user data, modify configurations, or compromise the entire Zulip instance through privilege escalation.

🟠

Likely Case

Unauthorized access to restricted channels, user information, or administrative functions leading to data exposure.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, but still presents authentication bypass risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires some understanding of Zulip's API and access control mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.10 and later

Vendor Advisory: https://github.com/zulip/zulip/commit/d5db254ca8167995a1654d1c45ffc74b2fade39a

Restart Required: Yes

Instructions:

1. Backup your Zulip instance. 2. Update to Zulip 4.10 or later using your deployment method. 3. Restart the Zulip server. 4. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Zulip server to trusted IPs only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to Zulip instance
  • Enable detailed logging and monitoring for unusual access patterns or authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check Zulip version via admin panel or run: grep -i version /home/zulip/deployments/current/version.py

Check Version:

grep -i version /home/zulip/deployments/current/version.py

Verify Fix Applied:

Verify version is 4.10 or later and check commit d5db254ca8167995a1654d1c45ffc74b2fade39a is present

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to restricted endpoints
  • Unusual API calls from unexpected users
  • Access to admin functions from non-admin accounts

Network Indicators:

  • Unusual API request patterns
  • Access to /api/v1/ endpoints with unexpected parameters

SIEM Query:

source="zulip" AND (event_type="access_denied" OR status=403) | stats count by user, endpoint

📊 Metadata

CVE ID: CVE-2021-3967
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-284
Published: February 26, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3967, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)