CVE-2021-29474

Name of the Vulnerable Software and Affected Versions: HedgeDoc (affected versions not specified)

Description: The issue is related to an improper input validation in HedgeDoc, allowing an attacker to perform a relative path traversal and read arbitrary .md files from the server's filesystem. This can be verified by attempting to open a specific URL, such as http://localhost:3000/..%2F..%2FREADME#, which if successful, indicates an affected version. The attack works because the internal router passes the URL-encoded alias to the noteController.showNote-function, which then passes the input directly to the findNote() utility function. This allows an attacker to not only read arbitrary .md files but also observe changes to them. The usefulness of this attack is considered limited due to the primary use of markdown files with the .md file-ending and the public nature of markdown files within the HedgeDoc project. Additional protections such as a chroot, container, or proper file permissions can limit the attack's usefulness.

Recommendations: As a temporary workaround, consider forcing a URL-decode on a reverse-proxy level to prevent this attack, as the router will not accept such a path. At the moment, there is no information about a newer version that contains a fix for this vulnerability.