CVE-2022-24837

Enumerable upload file names in hedgedoc

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Images uploaded with HedgeDoc version 1.9.1 and later have an enumerable filename after the upload, resulting in potential information leakage of uploaded documents. This is especially relevant for private notes and affects all upload backends, except Lutim and imgur. This issue is patched in version 1.9.3 by replacing the filename generation with UUIDv4. If you cannot upgrade to HedgeDoc 1.9.3, it is possible to block POST requests to `/uploadimage`, which will disable future uploads.

HedgeDoc es un editor de código abierto, basado en la web, auto-alojado y colaborativo. Las imágenes subidas con HedgeDoc versiones 1.9.1 y posteriores, presentan un nombre de archivo enumerable después de la subida, resultando en un potencial filtrado de información de los documentos subidos. Esto es especialmente relevante para las notas privadas y afecta a todos los backends de subida, excepto Lutim e imgur. Este problema ha sido corregido en versión 1.9.3, al sustituir la generación de nombres de archivo por UUIDv4. Si no puedes actualizar a HedgeDoc versión 1.9.3, es posible bloquear las peticiones POST a "/uploadimage", lo que deshabilitará futuras subidas

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-04-11 CVE Published
2023-11-02 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (3)

URL	Tag	Source
https://github.com/node-formidable/formidable/issues/808	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/hedgedoc/hedgedoc/commit/9e2f9e21e904c4a319e84265da7ef03b0a8e343a	2022-04-19
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-q6vv-2q26-j7rx	2022-04-19

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hedgedoc Search vendor "Hedgedoc"		Hedgedoc Search vendor "Hedgedoc" for product "Hedgedoc"				>= 1.9.1 < 1.9.3 Search vendor "Hedgedoc" for product "Hedgedoc" and version " >= 1.9.1 < 1.9.3"		-		Affected