oss-sec mailing list archives
Re: CVE Request for information leak in Etherpad exports
From: cve-assign () mitre org
Date: Sat, 14 Mar 2015 21:22:40 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
When exporting a padID all pads for which the requested ID is a substring are also returned, regardless of access restriction, resulting in an information leak.
https://github.com/ether/etherpad-lite/commit/a0fb65205c7d7ff95f00eb9fd88e93b300f30c3d src/node/utils/ExportEtherpad.js
Use CVE-2015-2298. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVBN5hAAoJEKllVAevmvmsIWYIAK2zmv2az2A9vdA6+kDMqzCs z3RLJsiRxb1TRSYN1TSrrIQ3+LAJhE+JxiFAWCp0jnkdOK86Z6p0hU08O2ZIMhQR gExq6WvmestmGJ/OIJ0qIBiFhlDTgHD43ZtrTduTMteTHt27W5fAFhg4xOsufHUw TSzODFHfgCCofq2ybOIufnMnovPEdSrSdbTwD+W1r8sIGOjjJj3+ZCXFXgkB/604 yOaXXupyXizujecLqdHxTgs3DJfa9qhyEGoyEpQbAAa6Od0yJGeiO0pGMXG2EPSJ m+bqTdm9X9w2qWC5jiwCC5viOo8/xktIga4mIR99FbXY4z8bSP90odusYf1caxU= =G10F -----END PGP SIGNATURE-----
Current thread:
- CVE Request for information leak in Etherpad exports Jeremy Stanley (Mar 14)
- Re: CVE Request for information leak in Etherpad exports cve-assign (Mar 14)