oss-sec mailing list archives
CVE Request for information leak in Etherpad exports
From: Jeremy Stanley <fungi () yuggoth org>
Date: Sat, 14 Mar 2015 22:35:25 +0000
A vulnerability was discovered in Etherpad (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public. Title: Information leak in Etherpad exports Reporter: webzwo0i Versions: 1.5.0 through 1.5.1 Description: webzwo0i reported a vulnerability in the export functionality of current Etherpad releases. When exporting a padID all pads for which the requested ID is a substring are also returned, regardless of access restriction, resulting in an information leak. This includes group pads created via the API. Notes: This bug was introduced in commit 1081156 which was initially included in the 1.5.0 release, and is fixed in commit a0fb652 which will appear in a future 1.5.2 release. References: https://github.com/ether/etherpad-lite/commit/a0fb652 -- Jeremy Stanley
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE Request for information leak in Etherpad exports Jeremy Stanley (Mar 14)
- Re: CVE Request for information leak in Etherpad exports cve-assign (Mar 14)