CVE-2021-29474 Information
Description
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. An attacker can read arbitrary .md files from the server’s filesystem due to an improper input validation which results in the ability to perform a relative path traversal. To verify if you are affected you can try to open the following URL: http://localhost:3000/..%2F..%2FREADME (replace http://localhost:3000 with your instance’s base-URL e.g. https://demo.hedgedoc.org/..%2F..%2FREADME). If you see a README page being rendered you run an affected version. The attack works due the fact that the internal router passes the url-encoded alias to the noteController.showNote-function. This function passes the input directly to findNote() utility function that will pass it on the the parseNoteId()-function that tries to make sense out of the noteId/alias and check if a note already exists and if so if a corresponding file on disk was updated. If no note exists the note creation-function is called which pass this unvalidated alias with a .md appended into a path.join()-function which is read from the filesystem in the follow up routine and provides the pre-filled content of the new note. This allows an attacker to not only read arbitrary .md files from the filesystem but also observes changes to them. The usefulness of this attack can be considered limited since mainly markdown files are use the file-ending .md and all markdown files contained in the hedgedoc project like the README are public anyway. If other protections such as a chroot or container or proper file permissions are in place this attack’s usefulness is rather limited. On a reverse-proxy level one can force a URL-decode which will prevent this attack because the router will not accept such a path.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Reference
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87
HedgeDoc
(formerly
known
as
CodiMD)
is
an
open-source
collaborative
markdown
editor.
An
attacker
can
read
arbitrary
.md
files
from
the
server’s
filesystem
due
to
an
improper
input
validation
which
results
in
the
ability
to
perform
a
relative
path
traversal.
To
verify
if
you
are
affected
you
can
try
to
open
the
following
URL:
[***http://localhost:3000/..%2F..%2FREADME#***](http://localhost:3000/..%2F..%2FREADME#) (replace http://localhost:3000***](http://localhost:3000)
with
your
instance’s
base-URL
e.g.
[***https://demo.hedgedoc.org/..%2F..%2FREADME#)..)
If
you
see
a
README
page
being
rendered
you
run
an
affected
version.
The
attack
works
due
the
fact
that
the
internal
router
passes
the
url-encoded
alias
to
the
noteController.showNote-function.
This
function
passes
the
input
directly
to
findNote()
utility
function
that
will
pass
it
on
the
the
parseNoteId()-function
that
tries
to
make
sense
out
of
the
noteId/alias
and
check
if
a
note
already
exists
and
if
so
if
a
corresponding
file
on
disk
was
updated.
If
no
note
exists
the
note
creation-function
is
called
which
pass
this
unvalidated
alias
with
a
.md
appended
into
a
path.join()-function
which
is
read
from
the
filesystem
in
the
follow
up
routine
and
provides
the
pre-filled
content
of
the
new
note.
This
allows
an
attacker
to
not
only
read
arbitrary
.md
files
from
the
filesystem
but
also
observes
changes
to
them.
The
usefulness
of
this
attack
can
be
considered
limited
since
mainly
markdown
files
are
use
the
file-ending
.md
and
all
markdown
files
contained
in
the
hedgedoc
project
like
the
README
are
public
anyway.
If
other
protections
such
as
a
chroot
or
container
or
proper
file
permissions
are
in
place
this
attack’s
usefulness
is
rather
limited.
On
a
reverse-proxy
level
one
can
force
a
URL-decode
which
will
prevent
this
attack
because
the
router
will
not
accept
such
a
path.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
NONE
Base Score
NONE
Base Severity
5.8
Share on: