HedgeDoc up to 1.9.x CMD_ALLOW_FREEURL improper validation of unsafe equivalence in input

Summaryinfo

A vulnerability was found in HedgeDoc up to 1.9.x. It has been rated as problematic. This affects an unknown function. Performing a manipulation of the argument CMD_ALLOW_FREEURL results in improper validation of unsafe equivalence in input. This vulnerability is cataloged as CVE-2024-45308. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability, which was classified as problematic, was found in HedgeDoc up to 1.9.x. This affects an unknown function. The manipulation of the argument CMD_ALLOW_FREEURL with an unknown input leads to a improper validation of unsafe equivalence in input vulnerability. CWE is classifying the issue as CWE-1289. The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value. This is going to have an impact on integrity, and availability. The summary by CVE is:

HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc 1 with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes. The affected existing note can then not be accessed anymore and is effectively hidden by the new one. When the freeURL feature is enabled (by setting the `allowFreeURL` config option or the `CMD_ALLOW_FREEURL` environment variable to `true`), any user with the appropriate permissions can create a note with an arbitrary alias, e.g. by accessing it in the browser. When MySQL or MariaDB are used, it is possible to create a new note with an alias that matches the lower-cased ID of a different note. HedgeDoc then always presents the new note to users, as these databases perform case-insensitive matching and the lower-cased alias is found first. This issue only affects HedgeDoc instances that use MySQL or MariaDB. Depending on the permission settings of the HedgeDoc instance, the issue can be exploited only by logged-in users or by all (including non-logged-in) users. The exploit requires knowledge of the ID of the target note. Attackers could use this issue to present a manipulated copy of the original note to the user, e.g. by replacing the links with malicious ones. Attackers can also use this issue to prevent access to the original note, causing a denial of service. No data is lost, as the original content of the affected notes is still present in the database. Users are advised to upgrade to version 1.10.0 which addresses this issue. Users unable to upgrade may disable freeURL mode which prevents the exploitation of this issue. The impact can also be limited by restricting freeURL note creation to trusted, logged-in users by enabling `requireFreeURLAuthentication`/`CMD_REQUIRE_FREEURL_AUTHENTICATION`.

It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2024-45308 since 08/26/2024. The exploitability is told to be difficult. It is possible to initiate the attack remotely. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 1.10.0 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Name

• HedgeDoc

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 1.6
• 1.7
• 1.8
• 1.9

Website

• Product: https://github.com/hedgedoc/hedgedoc/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion