Impact
This vulnerability could potentially allow an attacker to hijack a specific type of user session, given a crafted URL. Exploiting this vulnerability would have required the user to follow a malicious link, allowing the attacker to steal the CAS ticket used to authenticate the user towards several read-only APIs, namely the APIs used for search and embedded content, allowing the attacker to have access to content of projects which the user had access to. This malicious link would have looked like https://readthedocs.com/cas/login?service=https://evil-site.readthedocs-hosted.com/en/latest/.
This vulnerability was possible due to our CAS server allowing to issue authentication tickets for any CAS client or site.
The open source community version of Read the Docs (https://readthedocs.org) isn't affected by this vulnerability, and users of https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
This vulnerability was present in our private version of Read the Docs, custom installations aren't affected.
Patches
This vulnerability has been patched with our 9.12.0 release.
References
This vulnerability has been fixed in our private code, we can't share this patch publicly.
For more information
If you have any questions or comments about this advisory, email us at [email protected] (PGP)
stsewd Finder
Impact
This vulnerability could potentially allow an attacker to hijack a specific type of user session, given a crafted URL. Exploiting this vulnerability would have required the user to follow a malicious link, allowing the attacker to steal the CAS ticket used to authenticate the user towards several read-only APIs, namely the APIs used for search and embedded content, allowing the attacker to have access to content of projects which the user had access to. This malicious link would have looked like
https://readthedocs.com/cas/login?service=https://evil-site.readthedocs-hosted.com/en/latest/.This vulnerability was possible due to our CAS server allowing to issue authentication tickets for any CAS client or site.
The open source community version of Read the Docs (https://readthedocs.org) isn't affected by this vulnerability, and users of https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
This vulnerability was present in our private version of Read the Docs, custom installations aren't affected.
Patches
This vulnerability has been patched with our 9.12.0 release.
References
This vulnerability has been fixed in our private code, we can't share this patch publicly.
For more information
If you have any questions or comments about this advisory, email us at [email protected] (PGP)