The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsA fix was pushed into the master
branch but not yet published.
ep_etherpad-lite is a modern really-real-time collaborative document editor.
Affected versions of this package are vulnerable to Privilege Escalation. An attacker can craft an *.etherpad
file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands).
To gain privileges, the attacker must be able to trigger deletion of express-session
state or wait for old express-session
state to be cleaned up. Core Etherpad does not delete any express-session
state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old sessionstorage:*
records).
If users cannot upgrade to the fixed version or install patches manually, several workarounds are available. Users may configure their reverse proxies to reject requests to /p/*/import
, which will block all imports, not just *.etherpad
imports; limit all users to read-only access; and/or prevent the reuse of express_sid
cookie values that refer to deleted express-session state.