PT-2021-10792 · Etherpad · Etherpad

Published

2021-04-28

Updated

2021-05-05

CVE-2020-22785

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Etherpad versions prior to 1.8.3

Description The issue is related to a missing lock check, which could cause a denial of service. An attack involving aggressively targeting random pad import endpoints with empty data could flatten all pads due to the lack of rate limiting and a missing ownership check.

Recommendations For versions prior to 1.8.3, update to version 1.8.3 or later to resolve the issue. As a temporary workaround, consider implementing rate limiting on pad import endpoints to minimize the risk of exploitation. Restrict access to pad import endpoints to prevent aggressively targeting with empty data.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

CVE-2020-22785

Affected Products

Etherpad

PT-2021-10792 · Etherpad · Etherpad

CVE-2020-22785

Weakness Enumeration

Related Identifiers

Affected Products

References · 3