CVE Request for information leak in Etherpad exports

[Jeremy Stanley <fungi () yuggoth org>]

A vulnerability was discovered in Etherpad (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public.

Title: Information leak in Etherpad exports
Reporter: webzwo0i
Versions: 1.5.0 through 1.5.1

Description:
webzwo0i reported a vulnerability in the export functionality of
current Etherpad releases. When exporting a padID all pads for which
the requested ID is a substring are also returned, regardless of
access restriction, resulting in an information leak. This includes
group pads created via the API.

Notes:
This bug was introduced in commit 1081156 which was initially
included in the 1.5.0 release, and is fixed in commit a0fb652 which
will appear in a future 1.5.2 release.

References:
https://github.com/ether/etherpad-lite/commit/a0fb652

-- 
Jeremy Stanley

Attachment: signature.asc
Description: Digital signature