CVE-2021-43802

{"id": "CVE-2021-43802", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2021-12-09T23:15:07.517", "references": [{"url": "https://github.com/ether/etherpad-lite/compare/b7065eb9a0ec7c3c265f8cfeb2534efe6f036456...77bcb507b30e762e9375b0511b3763e0162aae53", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ether/etherpad-lite/issues/5010", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ether/etherpad-lite/releases/tag/1.8.16", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ether/etherpad-lite/security/advisories/GHSA-w3g3-qf3g-2mqc", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1287"}, {"lang": "en", "value": "CWE-790"}]}], "descriptions": [{"lang": "en", "value": "Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an `*.etherpad` file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands). To gain privileges, the attacker must be able to trigger deletion of `express-session` state or wait for old `express-session` state to be cleaned up. Core Etherpad does not delete any `express-session` state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old `sessionstorage:*` records). The problem has been fixed in version 1.8.16. If users cannot upgrade to 1.8.16 or install patches manually, several workarounds are available. Users may configure their reverse proxies to reject requests to `/p/*/import`, which will block all imports, not just `*.etherpad` imports; limit all users to read-only access; and/or prevent the reuse of `express_sid` cookie values that refer to deleted express-session state. More detailed information and general mitigation strategies may be found in the GitHub Security Advisory."}, {"lang": "es", "value": "Etherpad es un editor colaborativo en tiempo real. En las versiones anteriores a 1.8.16, un atacante puede dise\u00f1ar un archivo \"*.etherpad\" que, cuando es importado, puede permitirle conseguir privilegios de administrador para la instancia de Etherpad. Esto, a su vez, puede ser usado para instalar un plugin malicioso de Etherpad que puede ejecutar c\u00f3digo arbitrario (incluyendo comandos del sistema). Para obtener privilegios, el atacante debe ser capaz de desencadenar la eliminaci\u00f3n del estado de \"express-session\" o esperar a que se limpie el estado de la \"sesi\u00f3n express\". El n\u00facleo de Etherpad no elimina ning\u00fan estado de \"express-session\", por lo que los \u00fanicos ataques conocidos requieren un plugin que pueda eliminar el estado de la sesi\u00f3n o un proceso de limpieza personalizado (como una tarea cron que elimine los registros antiguos de \"sessionstorage:*\"). El problema ha sido corregido en la versi\u00f3n 1.8.16. Si los usuarios no pueden actualizar a la versi\u00f3n 1.8.16 o instalar los parches manualmente, se presentan varias soluciones disponibles. Los usuarios pueden configurar sus proxies inversos para que rechacen las peticiones a \"/p/*/import\", lo que bloquear\u00e1 todas las importaciones, no s\u00f3lo las de \"*.etherpad\"; limitar a todos los usuarios el acceso de s\u00f3lo lectura; y/o evitar la reutilizaci\u00f3n de los valores de las cookies \"express_sid\" que hacen referencia al estado de la sesi\u00f3n express eliminada. Puede encontrarse informaci\u00f3n m\u00e1s detallada y estrategias generales de mitigaci\u00f3n en el aviso de seguridad de GitHub"}], "lastModified": "2023-08-31T16:19:33.527", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:etherpad:etherpad:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FEC93782-D761-4BA0-A634-0C03187D7F9E", "versionEndExcluding": "1.8.16"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}