CVE-2021-29475
CVSS V2 Medium 5.8
CVSS V3 Critical 10
Description
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. An attacker is able to receive arbitrary files from the file system when exporting a note to PDF. Since the code injection has to take place as note content, there fore this exploit requires the attackers ability to modify a note. This will affect all instances, which have pdf export enabled. This issue has been fixed by https://github.com/hedgedoc/hedgedoc/commit/c1789474020a6d668d616464cb2da5e90e123f65 and is available in version 1.5.0. Starting the CodiMD/HedgeDoc instance with `CMD_ALLOW_PDF_EXPORT=false` or set `"allowPDFExport": false` in config.json can mitigate this issue for those who cannot upgrade. This exploit works because while PhantomJS doesn't actually render the `file:///` references to the PDF file itself, it still uses them internally, and exfiltration is possible, and easy through JavaScript rendering. The impact is pretty bad, as the attacker is able to read the CodiMD/HedgeDoc `config.json` file as well any other files on the filesystem. Even though the suggested Docker deploy option doesn't have many interesting files itself, the `config.json` still often contains sensitive information, database credentials, and maybe OAuth secrets among other things.
Overview
- CVE ID
- CVE-2021-29475
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2021-04-26T19:15:08
- Last Modified Date
- 2022-08-03T10:24:01
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:hedgedoc:hedgedoc:*:*:*:*:*:*:*:* | 1 | OR | 1.5.0 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:M/Au:N/C:P/I:P/A:N
- Access Vector
- NETWORK
- Access Compatibility
- MEDIUM
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- PARTIAL
- Availability Impact
- NONE
- Base Score
- 5.8
- Severity
- MEDIUM
- Exploitability Score
- 8.6
- Impact Score
- 4.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- CHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 10
- Base Severity
- CRITICAL
- Exploitability Score
- 3.9
- Impact Score
- 5.8
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/hedgedoc/hedgedoc/commit/c1789474020a6d668d616464cb2da5e90e123f65 | Patch Third Party Advisory |
| https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pxxg-px9v-6qf3 | Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2021-29475 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29475 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 16:16:08 | Added to TrackCVE | |||
| 2022-12-06 02:52:02 | 2021-04-26T19:15Z | 2021-04-26T19:15:08 | CVE Published Date | updated |
| 2022-12-06 02:52:02 | 2022-08-03T10:24:01 | CVE Modified Date | updated | |
| 2022-12-06 02:52:02 | Analyzed | Vulnerability Status | updated | |
| 2022-12-06 02:52:03 | CWE-918 | Weakness Enumeration | updated |