CVE-2021-43802

Name of the Vulnerable Software and Affected Versions: Etherpad versions prior to 1.8.16

Description: Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an *.etherpad file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code, including system commands. To gain privileges, the attacker must be able to trigger deletion of express-session state or wait for old express-session state to be cleaned up. Core Etherpad does not delete any express-session state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process, such as a cron job that deletes old sessionstorage:* records.

Recommendations: For versions prior to 1.8.16, upgrade to version 1.8.16 to fix the issue. As a temporary workaround, consider configuring reverse proxies to reject requests to "/p/*/import" to block all imports. Limit all users to read-only access to minimize the risk of exploitation. Prevent the reuse of express sid cookie values that refer to deleted express-session state.