CVE-2022-35962: 
NixOS vulnerability analysis and mitigation

A security vulnerability (CVE-2022-35962) was discovered in Zulip Mobile versions up through v27.189, where a malformed image link in a message sent by an authenticated user could lead to credential disclosure if a user taps on the image to expand it (Zulip Blog, GitHub Advisory). The vulnerability was discovered internally by the Zulip team and was patched in Zulip Mobile version v27.190, released on August 24, 2022.

The vulnerability has a CVSS v3.1 base score of 8.0 (High severity) with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: Low, User Interaction: Required, Scope: Unchanged, and Impact levels (Confidentiality, Integrity, and Availability) all rated as High. The vulnerability is associated with CWE-184 and CWE-436 (GitHub Advisory).

If exploited, the vulnerability could allow an attacker who can send messages to craft a malformed image link that, when tapped by a user in the Zulip mobile apps, would disclose the recipient's Zulip credentials. A complete audit determined that this vulnerability was never exploited in Zulip Cloud (Zulip Blog).

The vulnerability was fixed in Zulip Mobile version v27.190. Additionally, upgrading to Zulip Server 5.6 or later prevents sending malformed links, making it impossible for this issue to be exploited, even for users running older versions of Zulip Mobile. Zulip Cloud was also upgraded to protect against this vulnerability (GitHub Advisory, Zulip Blog).