ep_etherpad-lite@1.8.14 vulnerabilities

A free and open source realtime collaborative editor

latest version

1.8.14

first published

3 years ago

latest version published

3 years ago

licenses detected

Apache-2.0
>=0

View ep_etherpad-lite package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the ep_etherpad-lite package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Privilege Escalation ep_etherpad-lite is a modern really-real-time collaborative document editor. Affected versions of this package are vulnerable to Privilege Escalation. An attacker can craft an `.etherpad` file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands). To gain privileges, the attacker must be able to trigger deletion of `express-session` state or wait for old `express-session` state to be cleaned up. Core Etherpad does not delete any `express-session` state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old `sessionstorage:` records). If users cannot upgrade to the fixed version or install patches manually, several workarounds are available. Users may configure their reverse proxies to reject requests to `/p//import`, which will block all imports, not just `.etherpad` imports; limit all users to read-only access; and/or prevent the reuse of `express_sid` cookie values that refer to deleted express-session state. How to fix Privilege Escalation? A fix was pushed into the `master` branch but not yet published.	*

Privilege Escalation

ep_etherpad-lite is a modern really-real-time collaborative document editor.

Affected versions of this package are vulnerable to Privilege Escalation. An attacker can craft an *.etherpad file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands).

To gain privileges, the attacker must be able to trigger deletion of express-session state or wait for old express-session state to be cleaned up. Core Etherpad does not delete any express-session state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old sessionstorage:* records).

If users cannot upgrade to the fixed version or install patches manually, several workarounds are available. Users may configure their reverse proxies to reject requests to /p/*/import, which will block all imports, not just *.etherpad imports; limit all users to read-only access; and/or prevent the reuse of express_sid cookie values that refer to deleted express-session state.

How to fix Privilege Escalation?

A fix was pushed into the master branch but not yet published.

Go back to all versions of this package