CVE-2021-43802 Information

Description

Etherpad is a real-time collaborative editor. In versions prior to 1.8.16 an attacker can craft an .etherpad file that when imported might allow the attacker to gain admin privileges for the Etherpad instance. This in turn can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands). To gain privileges the attacker must be able to trigger deletion of express-session state or wait for old express-session state to be cleaned up. Core Etherpad does not delete any express-session state so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old sessionstorage: records). The problem has been fixed in version 1.8.16. If users cannot upgrade to 1.8.16 or install patches manually several workarounds are available. Users may configure their reverse proxies to reject requests to /p//import which will block all imports not just .etherpad imports; limit all users to read-only access; and/or prevent the reuse of express_sid cookie values that refer to deleted express-session state. More detailed information and general mitigation strategies may be found in the GitHub Security Advisory.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/ether/etherpad-lite/releases/tag/1.8.16 https://github.com/ether/etherpad-lite/compare/b7065eb9a0ec7c3c265f8cfeb2534efe6f036456…77bcb507b30e762e9375b0511b3763e0162aae53 https://github.com/ether/etherpad-lite/issues/5010 https://github.com/ether/etherpad-lite/security/advisories/GHSA-w3g3-qf3g-2mqc

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8