CVE-2021-43802— Etherpad 安全漏洞

Admin privilege escalation and arbitrary code execution via malicious *.etherpad imports

Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an `*.etherpad` file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands). To gain privileges, the attacker must be able to trigger deletion of `express-session` state or wait for old `express-session` state to be cleaned up. Core Etherpad does not delete any `express-session` state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old `sessionstorage:*` records). The problem has been fixed in version 1.8.16. If users cannot upgrade to 1.8.16 or install patches manually, several workarounds are available. Users may configure their reverse proxies to reject requests to `/p/*/import`, which will block all imports, not just `*.etherpad` imports; limit all users to read-only access; and/or prevent the reuse of `express_sid` cookie values that refer to deleted express-session state. More detailed information and general mitigation strategies may be found in the GitHub Security Advisory.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

特殊元素过滤不恰当

Etherpad 安全漏洞

Etherpad是开源的一个基于Web的在线文档协作工具。多个用户可以通过Etherpad同时编写一个文本文档，并看到所有的参与者的实时编辑。 Etherpad 1.8.16之前版本存在安全漏洞，该漏洞源于软件对于etherpad文件处理存在问题，攻击者可以制作“*.etherpad”文件，导入该文件后，攻击者可能会获得 Etherpad 实例的管理员权限。

N/A

N/A