oss-sec mailing list archives

Re: CVE Request for information leak in Etherpad exports

From: cve-assign () mitre org
Date: Sat, 14 Mar 2015 21:22:40 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

When exporting a padID all pads for which the requested ID is a
substring are also returned, regardless of access restriction,
resulting in an information leak.

https://github.com/ether/etherpad-lite/commit/a0fb65205c7d7ff95f00eb9fd88e93b300f30c3d
src/node/utils/ExportEtherpad.js


Use CVE-2015-2298.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVBN5hAAoJEKllVAevmvmsIWYIAK2zmv2az2A9vdA6+kDMqzCs
z3RLJsiRxb1TRSYN1TSrrIQ3+LAJhE+JxiFAWCp0jnkdOK86Z6p0hU08O2ZIMhQR
gExq6WvmestmGJ/OIJ0qIBiFhlDTgHD43ZtrTduTMteTHt27W5fAFhg4xOsufHUw
TSzODFHfgCCofq2ybOIufnMnovPEdSrSdbTwD+W1r8sIGOjjJj3+ZCXFXgkB/604
yOaXXupyXizujecLqdHxTgs3DJfa9qhyEGoyEpQbAAa6Od0yJGeiO0pGMXG2EPSJ
m+bqTdm9X9w2qWC5jiwCC5viOo8/xktIga4mIR99FbXY4z8bSP90odusYf1caxU=
=G10F
-----END PGP SIGNATURE-----

Current thread:

CVE Request for information leak in Etherpad exports Jeremy Stanley (Mar 14)
- Re: CVE Request for information leak in Etherpad exports cve-assign (Mar 14)