CVE-2023-38487 - HedgeDoc Affected by ID Overwrite and Access Vulnerability Prior to Version 1.9.9

HedgeDoc is a popular software used by numerous professionals and teams for creating real-time collaborative markdown notes. In versions prior to 1.9.9, a significant vulnerability (identified by the code CVE-2023-38487) was discovered in HedgeDoc's API which allows the creation of new notes with an alias matching the ID of existing notes. This vulnerability can lead to serious issues such as manipulated copies of notes or denial of service. The impact of this vulnerability can be limited by certain configurations, and it was fixed in version 1.9.9.

Exploit Details

When the freeURL feature is enabled in HedgeDoc (set by allowFreeURL config option or the CMD_ALLOW_FREEURL environment variable), any user with the required permissions can exploit this vulnerability by making a POST request to the /new/<ALIAS> API endpoint as shown below:

POST /new/
Host: example.com
... // other headers

{"alias": "TARGET_ID", "content": "malicious_content"}

In this example, the <ALIAS> parameter can be set to the ID of an existing note. HedgeDoc, prior to version 1.9.9, did not validate whether the provided <ALIAS> value corresponds to a valid ID of an existing note, thus allowing the attacker to create a new note with a matching alias.

For users attempting to access the original note, HedgeDoc would prioritize searching for the matching alias over the original note ID and would display only the new note. Depending on the permission settings of the HedgeDoc instance, this vulnerability can be exploited by logged-in users or by all users (including non-logged-in users). This exploit requires attackers to have knowledge of the target note's ID and can be used to replace the original note's content with manipulated content, such as malicious links, or to create denial-of-service scenarios by preventing access to the original note.

To mitigate the impact of CVE-2023-38487, you can update HedgeDoc to version 1.9.9 or higher which contains the necessary bug fix. Alternatively, you can disable the freeURL mode to prevent the vulnerability from being exploited. You can also limit the impact of the vulnerability by enabling requireFreeURLAuthentication/CMD_REQUIRE_FREEURL_AUTHENTICATION, which restricts note creation in freeURL mode to trusted, logged-in users only.

Original References

1. HedgeDoc Release Notes (1.9.9): https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.9
2. Issue Details on GitHub: https://github.com/hedgedoc/hedgedoc/issues/437

In summary, vulnerability CVE-2023-38487 with HedgeDoc versions prior to 1.9.9 can potentially lead to severe issues when exploited - such as presenting manipulated versions of original notes or preventing access of the original notes entirely. Updating to version 1.9.9, however, fixes this vulnerability. Users can further limit the impact by changing instance configurations to disable freeURL mode or require authentication for creating notes in freeURL mode.

Timeline

Published on: 08/04/2023 16:15:00 UTC
Last modified on: 08/10/2023 16:55:00 UTC