CVE-2024-39899

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. In v1.5, PrivateBin introduced the YOURLS server-side proxy. The idea was to allow using the YOURLs URL shortener without running the YOURLs instance without authentication and/or exposing the authentication token to the public, allowing anyone to shorten any URL. With the proxy mechanism, anyone can shorten any URL pointing to the configured PrivateBin instance. The vulnerability allowed other URLs to be shortened, as long as they contain the PrivateBin instance, defeating the limit imposed by the proxy. This vulnerability is fixed in 1.7.4.
Configurations

No configuration.

History

21 Nov 2024, 09:28

Type Values Removed Values Added
References () https://github.com/PrivateBin/PrivateBin/commit/0c4e810e6728f67d678458838d8430dfba4fcca4 - () https://github.com/PrivateBin/PrivateBin/commit/0c4e810e6728f67d678458838d8430dfba4fcca4 -
References () https://github.com/PrivateBin/PrivateBin/pull/1370 - () https://github.com/PrivateBin/PrivateBin/pull/1370 -
References () https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-mqqj-fx8h-437j - () https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-mqqj-fx8h-437j -

11 Jul 2024, 13:06

Type Values Removed Values Added
Summary
  • (es) PrivateBin es un pastbin en línea donde el servidor no tiene conocimiento de los datos pegados. En v1.5, PrivateBin introdujo el proxy del lado del servidor YOURLS. La idea era permitir el uso del acortador de URL de YOURLs sin ejecutar la instancia de YOURLs sin autenticación y/o exponer el token de autenticación al público, permitiendo a cualquiera acortar cualquier URL. Con el mecanismo de proxy, cualquiera puede acortar cualquier URL que apunte a la instancia de PrivateBin configurada. La vulnerabilidad permitió acortar otras URL, siempre que contengan la instancia PrivateBin, anulando el límite impuesto por el proxy. Esta vulnerabilidad se solucionó en 1.7.4.

09 Jul 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-09 19:15

Updated : 2024-11-21 09:28


NVD link : CVE-2024-39899

Mitre link : CVE-2024-39899

CVE.ORG link : CVE-2024-39899


JSON object : View

Products Affected

No product.

CWE
CWE-305

Authentication Bypass by Primary Weakness

CWE-791

Incomplete Filtering of Special Elements