cve-2024-45308
Vulnerability from cvelistv5
Published
2024-09-02 16:40
Modified
2024-09-03 14:06
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
Summary
HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc 1 with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes. The affected existing note can then not be accessed anymore and is effectively hidden by the new one. When the freeURL feature is enabled (by setting the `allowFreeURL` config option or the `CMD_ALLOW_FREEURL` environment variable to `true`), any user with the appropriate permissions can create a note with an arbitrary alias, e.g. by accessing it in the browser. When MySQL or MariaDB are used, it is possible to create a new note with an alias that matches the lower-cased ID of a different note. HedgeDoc then always presents the new note to users, as these databases perform case-insensitive matching and the lower-cased alias is found first. This issue only affects HedgeDoc instances that use MySQL or MariaDB. Depending on the permission settings of the HedgeDoc instance, the issue can be exploited only by logged-in users or by all (including non-logged-in) users. The exploit requires knowledge of the ID of the target note. Attackers could use this issue to present a manipulated copy of the original note to the user, e.g. by replacing the links with malicious ones. Attackers can also use this issue to prevent access to the original note, causing a denial of service. No data is lost, as the original content of the affected notes is still present in the database. Users are advised to upgrade to version 1.10.0 which addresses this issue. Users unable to upgrade may disable freeURL mode which prevents the exploitation of this issue. The impact can also be limited by restricting freeURL note creation to trusted, logged-in users by enabling `requireFreeURLAuthentication`/`CMD_REQUIRE_FREEURL_AUTHENTICATION`.
References
security-advisories@github.comhttps://github.com/hedgedoc/hedgedoc/commit/380587b7fd65bc1eb71eef51a3aab324f9877650
security-advisories@github.comhttps://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:hedgedoc:hedgedoc:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "hedgedoc",
            "vendor": "hedgedoc",
            "versions": [
              {
                "lessThan": "1.10.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45308",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-03T13:50:09.519694Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T14:06:53.073Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hedgedoc",
          "vendor": "hedgedoc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.10.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc 1 with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes. The affected existing note can then not be accessed anymore and is effectively hidden by the new one. When the freeURL feature is enabled (by setting the `allowFreeURL` config option or the `CMD_ALLOW_FREEURL` environment variable to `true`), any user with the appropriate permissions can create a note with an arbitrary alias, e.g. by accessing it in the browser. When MySQL or MariaDB are used, it is possible to create a new note with an alias that matches the lower-cased ID of a different note. HedgeDoc then always presents the new note to users, as these databases perform case-insensitive matching and the lower-cased alias is found first. This issue only affects HedgeDoc instances that use MySQL or MariaDB. Depending on the permission settings of the HedgeDoc instance, the issue can be exploited only by logged-in users or by all (including non-logged-in) users. The exploit requires knowledge of the ID of the target note. Attackers could use this issue to present a manipulated copy of the original note to the user, e.g. by replacing the links with malicious ones. Attackers can also use this issue to prevent access to the original note, causing a denial of service. No data is lost, as the original content of the affected notes is still present in the database. Users are advised to upgrade to version 1.10.0 which addresses this issue. Users unable to upgrade may disable freeURL mode which prevents the exploitation of this issue. The impact can also be limited by restricting freeURL note creation to trusted, logged-in users by enabling `requireFreeURLAuthentication`/`CMD_REQUIRE_FREEURL_AUTHENTICATION`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1289",
              "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-02T16:40:31.855Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p"
        },
        {
          "name": "https://github.com/hedgedoc/hedgedoc/commit/380587b7fd65bc1eb71eef51a3aab324f9877650",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hedgedoc/hedgedoc/commit/380587b7fd65bc1eb71eef51a3aab324f9877650"
        }
      ],
      "source": {
        "advisory": "GHSA-pjf2-269h-cx7p",
        "discovery": "UNKNOWN"
      },
      "title": "MySQL \u0026 free URL mode allows to hide existing notes in hedgedoc"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-45308",
    "datePublished": "2024-09-02T16:40:31.855Z",
    "dateReserved": "2024-08-26T18:25:35.444Z",
    "dateUpdated": "2024-09-03T14:06:53.073Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-45308\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-09-02T18:15:37.150\",\"lastModified\":\"2024-09-03T12:59:02.453\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc 1 with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes. The affected existing note can then not be accessed anymore and is effectively hidden by the new one. When the freeURL feature is enabled (by setting the `allowFreeURL` config option or the `CMD_ALLOW_FREEURL` environment variable to `true`), any user with the appropriate permissions can create a note with an arbitrary alias, e.g. by accessing it in the browser. When MySQL or MariaDB are used, it is possible to create a new note with an alias that matches the lower-cased ID of a different note. HedgeDoc then always presents the new note to users, as these databases perform case-insensitive matching and the lower-cased alias is found first. This issue only affects HedgeDoc instances that use MySQL or MariaDB. Depending on the permission settings of the HedgeDoc instance, the issue can be exploited only by logged-in users or by all (including non-logged-in) users. The exploit requires knowledge of the ID of the target note. Attackers could use this issue to present a manipulated copy of the original note to the user, e.g. by replacing the links with malicious ones. Attackers can also use this issue to prevent access to the original note, causing a denial of service. No data is lost, as the original content of the affected notes is still present in the database. Users are advised to upgrade to version 1.10.0 which addresses this issue. Users unable to upgrade may disable freeURL mode which prevents the exploitation of this issue. The impact can also be limited by restricting freeURL note creation to trusted, logged-in users by enabling `requireFreeURLAuthentication`/`CMD_REQUIRE_FREEURL_AUTHENTICATION`.\"},{\"lang\":\"es\",\"value\":\"HedgeDoc es una aplicaci\u00f3n de notas de c\u00f3digo abierto, en tiempo real, colaborativa y con formato Markdown. Al utilizar HedgeDoc 1 con MySQL o MariaDB, es posible crear notas con un alias que coincida con el ID de las notas existentes. A partir de ese momento, ya no se puede acceder a la nota existente afectada y la nueva la oculta de manera efectiva. Cuando se habilita la funci\u00f3n freeURL (estableciendo la opci\u00f3n de configuraci\u00f3n `allowFreeURL` o la variable de entorno `CMD_ALLOW_FREEURL` en `true`), cualquier usuario con los permisos adecuados puede crear una nota con un alias arbitrario, por ejemplo, accediendo a ella en el navegador. Cuando se utiliza MySQL o MariaDB, es posible crear una nueva nota con un alias que coincida con el ID en min\u00fasculas de una nota diferente. Luego, HedgeDoc siempre presenta la nueva nota a los usuarios, ya que estas bases de datos realizan una comparaci\u00f3n sin distinguir entre may\u00fasculas y min\u00fasculas y el alias en min\u00fasculas se encuentra primero. Este problema solo afecta a las instancias de HedgeDoc que utilizan MySQL o MariaDB. Seg\u00fan la configuraci\u00f3n de permisos de la instancia de HedgeDoc, el problema puede ser explotado solo por usuarios que hayan iniciado sesi\u00f3n o por todos los usuarios (incluidos los que no hayan iniciado sesi\u00f3n). El exploit requiere el conocimiento del ID de la nota de destino. Los atacantes podr\u00edan usar este problema para presentar una copia manipulada de la nota original al usuario, por ejemplo, reemplazando los enlaces con enlaces maliciosos. Los atacantes tambi\u00e9n pueden usar este problema para evitar el acceso a la nota original, lo que provoca una denegaci\u00f3n de servicio. No se pierden datos, ya que el contenido original de las notas afectadas a\u00fan est\u00e1 presente en la base de datos. Se recomienda a los usuarios que actualicen a la versi\u00f3n 1.10.0 que soluciona este problema. Los usuarios que no puedan actualizar pueden desactivar el modo freeURL que evita la explotaci\u00f3n de este problema. El impacto tambi\u00e9n se puede limitar restringiendo la creaci\u00f3n de notas freeURL a usuarios confiables que hayan iniciado sesi\u00f3n habilitando `requireFreeURLAuthentication`/`CMD_REQUIRE_FREEURL_AUTHENTICATION`.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1289\"}]}],\"references\":[{\"url\":\"https://github.com/hedgedoc/hedgedoc/commit/380587b7fd65bc1eb71eef51a3aab324f9877650\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.