CVE-2021-29474

{"id": "CVE-2021-29474", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2021-04-26T22:15:08.900", "references": [{"url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-22"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. An attacker can read arbitrary `.md` files from the server's filesystem due to an improper input validation, which results in the ability to perform a relative path traversal. To verify if you are affected, you can try to open the following URL: `http://localhost:3000/..%2F..%2FREADME#` (replace `http://localhost:3000` with your instance's base-URL e.g. `https://demo.hedgedoc.org/..%2F..%2FREADME#`). If you see a README page being rendered, you run an affected version. The attack works due the fact that the internal router passes the url-encoded alias to the `noteController.showNote`-function. This function passes the input directly to findNote() utility function, that will pass it on the the parseNoteId()-function, that tries to make sense out of the noteId/alias and check if a note already exists and if so, if a corresponding file on disk was updated. If no note exists the note creation-function is called, which pass this unvalidated alias, with a `.md` appended, into a path.join()-function which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary `.md` files from the filesystem, but also observes changes to them. The usefulness of this attack can be considered limited, since mainly markdown files are use the file-ending `.md` and all markdown files contained in the hedgedoc project, like the README, are public anyway. If other protections such as a chroot or container or proper file permissions are in place, this attack's usefulness is rather limited. On a reverse-proxy level one can force a URL-decode, which will prevent this attack because the router will not accept such a path."}, {"lang": "es", "value": "HedgeDoc (anteriormente conocida como CodiMD) es un editor colaborativo de c\u00f3digo abierto. Un atacante puede leer archivos arbitrarios \".md\" del sistema de archivos del servidor debido a una comprobaci\u00f3n inapropiada de la entrada, lo que resulta en la habilidad de llevar a cabo un salto de ruta relativo. Para comprobar si est\u00e1 afectado, puede intentar abrir la siguiente URL: \"http://localhost:3000/..%2F..%2FREADME#\" (sustituya \"http://localhost:3000\" por la URL base de su instancia, por ejemplo \"https://demo.hedgedoc.org/..%2F..%2FREADME#\"). Si ve que se muestra una p\u00e1gina README, significa que est\u00e1 ejecutando una versi\u00f3n afectada. El ataque funciona debido a que el router interno pasa el alias codificado en url a la funci\u00f3n \"noteController.showNote\". Esta funci\u00f3n pasa la entrada directamente a la funci\u00f3n de utilidad findNote(), que la pasar\u00e1 a la funci\u00f3n parseNoteId(), que intenta dar sentido al noteId/alias y comprobar si ya se presenta una nota y, si es as\u00ed, si se ha actualizado el archivo correspondiente en el disco. Si no se presenta ninguna nota, se llama a la funci\u00f3n de creaci\u00f3n de notas, que pasa este alias no comprobado, con un \".md\" a\u00f1adido, a una funci\u00f3n path.join() que se lee del sistema de archivos en la rutina de seguimiento y proporciona el contenido precargado de la nueva nota. Esto permite a un atacante no s\u00f3lo leer archivos \".md\" arbitrarios del sistema de archivos, sino tambi\u00e9n observar los cambios en ellos. La utilidad de este ataque puede considerarse limitada, ya que principalmente los archivos markdown usan la terminaci\u00f3n de archivo \".md\" y todos los archivos markdown contenidos en el proyecto hedgedoc, como el README, son p\u00fablicos de todos modos. Si se presentan otras protecciones, como un chroot o un contenedor, o los permisos adecuados para los archivos, la utilidad de este ataque es bastante limitada. A nivel de proxy inverso se puede forzar una decodificaci\u00f3n de la URL, lo que evitar\u00e1 este ataque porque el router no aceptar\u00e1 dicha ruta"}], "lastModified": "2024-11-21T06:01:11.913", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hedgedoc:hedgedoc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91611414-D98E-4E83-ACE0-BD32E4221510", "versionEndExcluding": "1.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}