CVE-2021-3866: XSS in stream names
This is an important security announcement for Zulip installations running the
main (development) branch of the Zulip server. The
main branch of Zulip
a commit merged on December 4th,
was vulnerable to a stored cross-site scripting vulnerability in stream names. A
malicious user with permission to create or rename streams could exploit this
Self-hosted installations running official releases are not affected, since this change did not make it into an official release.
Self-hosted installations that upgraded to the
mainbranch on or after December 4 should immediately upgrade to the latest version of the
mainbranch to get the fix. Your installation is affected if you deployed from Git, and the following produces exactly one line of output (either zero or two lines of output means the server is not vulnerable):
git -C /home/zulip/deployments/current log | grep 44f935695d452cc3fb16845a0c6af710438b153d
Zulip Cloud was vulnerable from December 6th through January 15th. We have completed an audit of access logs, and have verified that this vulnerability was not exploited on Zulip Cloud.
We have been assigned CVE-2021-3866 for this vulnerability; we’d like to thank Abdul Muhaimin for bringing this to our attention.
(Edit: We were originally assigned CVE-2021-3853 for this issue. However, due to an error by the third party that assigned this CVE number, that CVE number had incorrectly also been assigned to an unrelated vulnerability in a different product.)
Because this vulnerability was not in any released version of Zulip Server, we
are not releasing a new version of Zulip to resolve it. If you upgraded to the
main branch on or after December 4, you should
upgrade to the latest
main again using our documented techniques.
If you need help, best-effort support is available on
Reminder: upgrade your host operating system
As a reminder, we will remove support for Ubuntu 18.04 Bionic shortly. Specifically, Ubuntu 18.04 will be supported in the rest of the Zulip Server 4.x series, but will not be supported in the upcoming Zulip Server 5.0 release.
We strongly recommend upgrading the OS of any Zulip servers you manage which are running on Ubuntu 18.04, because important packages in Ubuntu 18.04 are no longer receiving security support from Ubuntu. See our OS upgrade documentation for how to correctly upgrade the host operating system for a Zulip server.
We intend to remove support for Ubuntu 18.04 from the
main branch in the
upcoming days. Once we have done so, you will need to first
upgrade the operating system to Ubuntu 20.04
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org and provide feedback directly to the development community!
- Follow us on Twitter, or join our announcement mailing list (or subscribe to the blog posts, which are mostly a subset of the already low-volume mailing list).