Date: Sat, 14 Mar 2015 22:35:25 +0000 From: Jeremy Stanley <fungi@...goth.org> To: OSS Security <oss-security@...ts.openwall.com> Cc: CVE Request <cve-assign@...re.org>, Etherpad Security <security@...erpad.org>, John McLear <John@...ear.co>, webzwo0i <webzwo0i@...2.de>, Stefan Müller <stefan@...fans-entwicklerecke.de> Subject: CVE Request for information leak in Etherpad exports A vulnerability was discovered in Etherpad (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public. Title: Information leak in Etherpad exports Reporter: webzwo0i Versions: 1.5.0 through 1.5.1 Description: webzwo0i reported a vulnerability in the export functionality of current Etherpad releases. When exporting a padID all pads for which the requested ID is a substring are also returned, regardless of access restriction, resulting in an information leak. This includes group pads created via the API. Notes: This bug was introduced in commit 1081156 which was initially included in the 1.5.0 release, and is fixed in commit a0fb652 which will appear in a future 1.5.2 release. References: https://github.com/ether/etherpad-lite/commit/a0fb652 -- Jeremy Stanley Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ