Lucene search

K
cveGitHub_MCVE-2021-43802
HistoryDec 09, 2021 - 11:15 p.m.

CVE-2021-43802

2021-12-0923:15:07
CWE-1287
CWE-20
CWE-790
GitHub_M
web.nvd.nist.gov
21
4
cve-2021-43802
etherpad
privilege escalation
security vulnerability
admin privileges
import file
express-session
patch
mitigation

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

47.9%

Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an *.etherpad file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands). To gain privileges, the attacker must be able to trigger deletion of express-session state or wait for old express-session state to be cleaned up. Core Etherpad does not delete any express-session state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old sessionstorage:* records). The problem has been fixed in version 1.8.16. If users cannot upgrade to 1.8.16 or install patches manually, several workarounds are available. Users may configure their reverse proxies to reject requests to /p/*/import, which will block all imports, not just *.etherpad imports; limit all users to read-only access; and/or prevent the reuse of express_sid cookie values that refer to deleted express-session state. More detailed information and general mitigation strategies may be found in the GitHub Security Advisory.

Affected configurations

Nvd
Vulners
Node
etherpadetherpadRange<1.8.16
VendorProductVersionCPE
etherpadetherpad*cpe:2.3:a:etherpad:etherpad:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "etherpad-lite",
    "vendor": "ether",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.8.16"
      }
    ]
  }
]

Social References

More

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

47.9%

Related for CVE-2021-43802