ByteOS Network

NVD Vulnerability Details :

CVE-2022-24837

Analyzed

Source-security-advisories@github.com

Published At-11 Apr, 2022 | 21:15

Updated At-19 Apr, 2022 | 15:30

HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Images uploaded with HedgeDoc version 1.9.1 and later have an enumerable filename after the upload, resulting in potential information leakage of uploaded documents. This is especially relevant for private notes and affects all upload backends, except Lutim and imgur. This issue is patched in version 1.9.3 by replacing the filename generation with UUIDv4. If you cannot upgrade to HedgeDoc 1.9.3, it is possible to block POST requests to `/uploadimage`, which will disable future uploads.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Secondary	3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary	2.0	5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N

CPE Matches

hedgedoc>>hedgedoc>>Versions from 1.9.1(inclusive) to 1.9.3(exclusive)

cpe:2.3:a:hedgedoc:hedgedoc:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-434	Primary	nvd@nist.gov
CWE-200	Secondary	security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/hedgedoc/hedgedoc/commit/9e2f9e21e904c4a319e84265da7ef03b0a8e343a	security-advisories@github.com	Patch Third Party Advisory
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-q6vv-2q26-j7rx	security-advisories@github.com	Patch Third Party Advisory
https://github.com/node-formidable/formidable/issues/808	security-advisories@github.com	Issue Tracking Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History