What is CVE-2021-43799?

CVE-2021-43799 is a high-severity vulnerability in Zulip, classified under Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). CVSS score: 8.6/10. Published 2022-01-25.

How severe is CVE-2021-43799?

High severity. CVSS v3 base score is 8.6 out of 10.

Is CVE-2021-43799 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Zulip

CVE-2021-43799

Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successf…

EPSS: 0.053 (90.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.6 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N.

Affected products

Zulip — versions < 4.9

Weakness classification (CWE)

CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Public proof-of-concept exploits

References

github.com/zulip/zulip/security/advisories/GHSA-p663-wxvv-2fjp (x_refsource_CONFIRM)
github.com/zulip/zulip/commit/a5496f4098e3998c9b84e8dc564aa983d6cdf6e8 (x_refsource_MISC)
github.com/gteissier/erl-matter (x_refsource_MISC)
github.com/zulip/zulip/releases/tag/4.9 (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-43799?: CVE-2021-43799 is a high-severity vulnerability in Zulip, classified under Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). CVSS score: 8.6/10. Published 2022-01-25.
How severe is CVE-2021-43799?: High severity. CVSS v3 base score is 8.6 out of 10.
Is CVE-2021-43799 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.