Bugzilla – Bug 927641
VUL-2: CVE-2015-3297, CVE-2015-3309: etherpad-lite: remote directory traversal
Last modified: 2021-05-11 11:45:46 UTC
via oss-sec http://seclists.org/oss-sec/2015/q2/103 > A vulnerability was discovered in Etherpad (see below). In order to > ensure full traceability, we need a CVE number assigned that we can > attach to further notifications. This issue is already public. > > Title: Read-only directory traversal in Etherpad Minify > Reporter: Tom Hunkapiller > Versions: 1.1.2 through 1.5.2 > > Description: > Tom Hunkapiller reported a vulnerability in the minify feature of > current Etherpad releases. Backslashes are replaced with slashes in > the path parameter of HTTP API calls after path normalization is > applied, allowing an attacker supplying specially-crafted requests > to remotely read arbitrary files on the server's filesystem with the > privileges of the account running the service. > > Notes: > This bug was introduced in commit a97b83b which was initially > included in the 1.1.2 release, and is fixed in commit 9d4e5f6 which > will appear in a future 1.5.3 release. > > References: > https://github.com/ether/etherpad-lite/commit/9d4e5f6 This is CVE-2015-3297. http://seclists.org/oss-sec/2015/q2/114 > The original report for CVE-2015-3297 incorrectly specified the > commit introducing the bug as a97b83b when it should actually have > been 7b518eeb. As a result the earliest affected version is actually > 1.1.1 rather than 1.1.2 as was originally reported. A corrected > report can be found below. > > Title: Read-only directory traversal in Etherpad Minify > Reporter: Tom Hunkapiller > Versions: 1.1.1 through 1.5.2 > > Description: > Tom Hunkapiller reported a vulnerability in the minify feature of > current Etherpad releases. Backslashes are replaced with slashes in > the path parameter of HTTP API calls after path normalization is > applied, allowing an attacker supplying specially-crafted requests > to remotely read arbitrary files on the server's filesystem with the > privileges of the account running the service. > > Notes: > This bug was introduced in commit 7b518eeb which was initially > included in the 1.1.1 release, and is fixed in commit 9d4e5f6 which > appears in the 1.5.3 release. > > References: > https://github.com/ether/etherpad-lite/commit/9d4e5f6 http://seclists.org/oss-sec/2015/q2/115 > A vulnerability was discovered in Etherpad (see below). In order to > ensure full traceability, we need a CVE number assigned that we can > attach to further notifications. This issue is already public. > > Title: Incomplete fix to CVE-2015-3297 in Etherpad Minify > Reporter: anonymous > Versions: 1.1.2 through 1.5.4 > > Description: > An anonymous reporter pointed out an incomplete fix to CVE-2015-3297 > in the minify feature of current Etherpad releases. There is an > additional location in the script where backslashes are replaced > with slashes in the path parameter of HTTP API calls after path > normalization is applied, allowing an attacker supplying a slightly > different specially-crafted request to remotely read arbitrary files > on the server's filesystem with the privileges of the account > running the service. > > Notes: > This bug was introduced in commit a97b83b which was initially > included in the 1.1.2 release (a later commit than the one which > introduced CVE-2015-3297 in 1.1.1), and is fixed in commit 0fa7650 > which will appear in a future 1.5.5 release. > > References: > https://github.com/ether/etherpad-lite/commit/0fa7650 This is CVE-2015-3309.
Fix for etherpad.opensuse.org - no information about the internal one, but I think this is also upgraded since a while now. Packages are updated -> therefor closing.