2019-09-18 14:15:10 2019-09-18 20:27:18

The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged into the server could send a crafted message causing the server to spend an effectively arbitrary amount of CPU time and stall the processing of future messages.

Vector

NETWORK

Complexity

LOW

Authentication

SINGLE_INSTANCE

Confidentiality

NONE

Integrity

NONE

Availability

PARTIAL
Zulip Zulip server 1.1.5 (not an official CPE) Zulip Zulip server 1.2.0 - (not an official CPE) Zulip Zulip server 1.2.0 P1 (not an official CPE) Zulip Zulip server 1.2.1 (not an official CPE) Zulip Zulip server 1.3.0 (not an official CPE) Zulip Zulip server 1.3.1 (not an official CPE) Zulip Zulip server 1.3.2 (not an official CPE) Zulip Zulip server 1.3.3 (not an official CPE) Zulip Zulip server 1.3.4 (not an official CPE) Zulip Zulip server 1.3.5 (not an official CPE) Zulip Zulip server 1.3.6 (not an official CPE) Zulip Zulip server 1.3.7 (not an official CPE) Zulip Zulip server 1.3.8 (not an official CPE) Zulip Zulip server 1.3.9 (not an official CPE) Zulip Zulip server 1.3.10 (not an official CPE) Zulip Zulip server 1.3.11 (not an official CPE) Zulip Zulip server 1.3.12 (not an official CPE) Zulip Zulip server 1.3.13 (not an official CPE) Zulip Zulip server 1.4.0 (not an official CPE) Zulip Zulip server 1.4.1 (not an official CPE) Zulip Zulip server 1.4.2 (not an official CPE) Zulip Zulip server 1.4.3 (not an official CPE) Zulip Zulip server 1.5.0 (not an official CPE) Zulip Zulip server 1.5.1 (not an official CPE) Zulip Zulip server 1.5.2 (not an official CPE) Zulip Zulip server 1.6.0 (not an official CPE) Zulip Zulip server 1.7.0 (not an official CPE) Zulip Zulip server 1.7.1 (not an official CPE) Zulip Zulip server 1.7.2 (not an official CPE) Zulip Zulip server 1.8.0 - (not an official CPE) Zulip Zulip server 1.8.0 Rc1 (not an official CPE) Zulip Zulip server 1.8.1 (not an official CPE) Zulip Zulip server 1.9.0 - (not an official CPE) Zulip Zulip server 1.9.0 Rc1 (not an official CPE) Zulip Zulip server 1.9.0 Rc2 (not an official CPE) Zulip Zulip server 1.9.0 Rc3 (not an official CPE) Zulip Zulip server 1.9.1 (not an official CPE) Zulip Zulip server 1.9.2 (not an official CPE) Zulip Zulip server 2.0.0 - (not an official CPE) Zulip Zulip server 2.0.0 Rc1 (not an official CPE) Zulip Zulip server 2.0.1 (not an official CPE) Zulip Zulip server 2.0.2 (not an official CPE) Zulip Zulip server 2.0.3 (not an official CPE) Zulip Zulip server 2.0.4 (not an official CPE)