CVE-2024-45313

Name of the Vulnerable Software and Affected Versions Overleaf Server Pro versions prior to 2024-07-17 Overleaf Server Pro using legacy docker-compose.yml versions prior to 2024-08-28

Description Overleaf is a web-based collaborative LaTeX editor. When installing Server Pro using the Overleaf Toolkit from before 2024-07-17 or legacy docker-compose.yml from before 2024-08-28, the configuration for LaTeX compiles was insecure by default. This required the administrator to enable the security features via a configuration setting (SIBLING CONTAINERS ENABLED in Toolkit, SANDBOXED COMPILES in legacy docker-compose/custom deployments). If these security features are not enabled, users have access to the sharelatex container resources (filesystem, network, environment variables) when running compiles, leading to multiple file access vulnerabilities, either directly or via symlinks created during compiles.

Recommendations For existing installations using the previous default setting, migrate to using sibling containers. Set SIBLING CONTAINERS ENABLED=true in config/overleaf.rc as a mitigation. In legacy docker-compose/custom deployments, use SANDBOXED COMPILES=true.