Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 14 Mar 2015 21:22:40 -0400 (EDT)
From: cve-assign@...re.org
To: fungi@...goth.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@...erpad.org, John@...ear.co, webzwo0i@...2.de, stefan@...fans-entwicklerecke.de
Subject: Re: CVE Request for information leak in Etherpad exports

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> When exporting a padID all pads for which the requested ID is a
> substring are also returned, regardless of access restriction,
> resulting in an information leak.

> https://github.com/ether/etherpad-lite/commit/a0fb65205c7d7ff95f00eb9fd88e93b300f30c3d
> src/node/utils/ExportEtherpad.js

Use CVE-2015-2298.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVBN5hAAoJEKllVAevmvmsIWYIAK2zmv2az2A9vdA6+kDMqzCs
z3RLJsiRxb1TRSYN1TSrrIQ3+LAJhE+JxiFAWCp0jnkdOK86Z6p0hU08O2ZIMhQR
gExq6WvmestmGJ/OIJ0qIBiFhlDTgHD43ZtrTduTMteTHt27W5fAFhg4xOsufHUw
TSzODFHfgCCofq2ybOIufnMnovPEdSrSdbTwD+W1r8sIGOjjJj3+ZCXFXgkB/604
yOaXXupyXizujecLqdHxTgs3DJfa9qhyEGoyEpQbAAa6Od0yJGeiO0pGMXG2EPSJ
m+bqTdm9X9w2qWC5jiwCC5viOo8/xktIga4mIR99FbXY4z8bSP90odusYf1caxU=
=G10F
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ