Impact
This vulnerability could potentially allow an attacker to take over a specific type of user session, given a crafted URL and access to create a pull request on the repository. Exploiting this vulnerability would have required the attacker to:
- Be able to create a pull request on a repository of a project which the victim has access to.
- Trick the user to follow a malicious link.
Taking over the session would have granted access to several read-only APIs, namely the APIs used for search and embedded content, allowing the attacker to have access to content of projects which the user had access to. This malicious link would have looked like https://readthedocs.com/cas/login?service=https://<project-slug>--<pull-request-id>.com.readthedocs.build.
This vulnerability was possible due to our CAS server allowing to authenticate users on domains from pull requests, but since these sites include content from any user, they shouldn't be trusted, especially if the repository is public, where any user can create a pull request.
The open source community version of Read the Docs (https://readthedocs.org) isn't affected by this vulnerability, and users of https://readthedocs.com/ should not set pull request previews as private if their repository is public, we have automatically changed this option for projects with public repositories, we have updated our documentation to reflect this, and we will restrict the actions a user can do from a pull request preview in the future.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
This vulnerability was present in our private version of Read the Docs, custom installations aren't affected.
Patches
This vulnerability has been patched with our 10.17.0 release.
References
This vulnerability has been fixed in our private code, we can't share this patch publicly. Additionally, we have added some extra protections in our public code to prevent users from setting pull requests previews to public if their repository is public.
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP)
stsewd Analyst
Impact
This vulnerability could potentially allow an attacker to take over a specific type of user session, given a crafted URL and access to create a pull request on the repository. Exploiting this vulnerability would have required the attacker to:
Taking over the session would have granted access to several read-only APIs, namely the APIs used for search and embedded content, allowing the attacker to have access to content of projects which the user had access to. This malicious link would have looked like
https://readthedocs.com/cas/login?service=https://<project-slug>--<pull-request-id>.com.readthedocs.build.This vulnerability was possible due to our CAS server allowing to authenticate users on domains from pull requests, but since these sites include content from any user, they shouldn't be trusted, especially if the repository is public, where any user can create a pull request.
The open source community version of Read the Docs (https://readthedocs.org) isn't affected by this vulnerability, and users of https://readthedocs.com/ should not set pull request previews as private if their repository is public, we have automatically changed this option for projects with public repositories, we have updated our documentation to reflect this, and we will restrict the actions a user can do from a pull request preview in the future.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
This vulnerability was present in our private version of Read the Docs, custom installations aren't affected.
Patches
This vulnerability has been patched with our 10.17.0 release.
References
This vulnerability has been fixed in our private code, we can't share this patch publicly. Additionally, we have added some extra protections in our public code to prevent users from setting pull requests previews to public if their repository is public.
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP)