Home > Vulnerability Database > CVE-2022-36048

Mend.io Vulnerability Database

CVE-2022-36048

Good to know:

Date: August 31, 2022

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer’s IP address and browser fingerprinting information. This vulnerability is fixed in Zulip Server 5.6. Zulip organizations with image and link previews [disabled](https://zulip.com/help/allow-image-link-previews) are not affected.

Language: Python

Severity Score

4.3

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-36048

Url: https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452

Url: https://www.mend.io/vulnerability-database/CVE-2022-36048

Severity Score

4.3

Weakness Type (CWE)

Interpretation Conflict

CWE-436

Top Fix

Upgrade Version

Upgrade to version 5.6

Learn More

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-36048

Good to know:

Date: August 31, 2022

Language: Python

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?