CVE-2023-32677: 
NixOS vulnerability analysis and mitigation

Zulip Server versions 6.1 and below contain a vulnerability (CVE-2023-32677) where users with invitation permissions could add new users to streams during the invitation process, even if they lacked the general permission to add users to streams. The vulnerability was discovered and disclosed in May 2023, affecting Zulip's team collaboration platform (Zulip Advisory).

The vulnerability stems from a permission control bypass in the invitation system. While administrators can configure Zulip to limit who can add users to streams and separately limit who can invite users to the organization, the UI allowed users with invitation permissions to set streams for new users during invitation, circumventing the stream subscription permission checks. The vulnerability has been assigned a CVSS v3.1 Base Score of 3.1 LOW (Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) (NVD).

The impact of this vulnerability is limited as it does not allow users to invite new members to streams they cannot see themselves, or to streams they wouldn't be able to add users to if they had the general permission. However, it does violate intended security controls in configurations where stream subscription permissions are meant to be restricted (Zulip Advisory).

The vulnerability has been patched in Zulip Server version 6.2. For users unable to upgrade, administrators can mitigate the vulnerability by limiting invitation permissions to users who also have permission to add users to streams (Zulip Advisory).