Bug 933107 (CVE-2015-4085)

Summary: VUL-0: CVE-2015-4085: etherpad: path handling that allowed directory traversal
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Lars Vogdt <lars.vogdt>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: lars.vogdt, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/117085/
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2015-06-01 15:44:18 UTC
Via oss-sec: http://seclists.org/oss-sec/2015/q2/547

A vulnerability was discovered in Etherpad (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public.

Title: Read-only directory traversal in Etherpad frontend tests
Reporter: Tom Hunkapiller
Versions: 1.2.0 through 1.5.3

Tom Hunkapiller reported a vulnerability in the frontend tests of
previous Etherpad releases, which are enabled by default. Parent
directory references were not correctly sanitized in frontend test
URLs of HTTP API calls, allowing an attacker to remotely read
arbitrary files on the server's filesystem with the privileges of
the account running the service.

This bug was introduced in commit ba4ebbb which was initially
included in the 1.2.0 release, and is fixed in commit 5409eb3 which
appears in the 1.5.4 release.


Comment 1 Swamp Workflow Management 2015-06-01 22:00:27 UTC
bugbot adjusting priority
Comment 2 Lars Vogdt 2016-02-18 17:40:34 UTC
Upgraded all our instances to 1.5.7 a while ago. I guess this fixes the problems mentioned above.