CVE-2020-22785 - OpenCVE

Etherpad < 1.8.3 is affected by a missing lock check which could cause a denial of service. Aggressively targeting random pad import endpoints with empty data would flatten all pads due to lack of rate limiting and missing ownership check.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Etherpad	Etherpad

Configuration 1 [-]

cpe:2.3:a:etherpad:etherpad:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/ether/etherpad-lite/pull/3833	Exploit Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-04-28T20:22:37

Updated: 2021-04-28T20:22:37

Reserved: 2020-08-13T00:00:00

Link: CVE-2020-22785

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-04-28T21:15:08.713

Modified: 2021-05-05T19:39:26.383

Link: CVE-2020-22785

JSON object: View

Redhat Information

No data.

CWE

CWE-770

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:etherpad:etherpad:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE027A22-DA83-430F-BF59-AABFA64B9532", "versionEndExcluding": "1.8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Etherpad < 1.8.3 is affected by a missing lock check which could cause a denial of service. Aggressively targeting random pad import endpoints with empty data would flatten all pads due to lack of rate limiting and missing ownership check."}, {"lang": "es", "value": "Etherpad versiones anteriores a 1.8.3, est\u00e1 afectado por una falta de comprobaci\u00f3n de bloqueo que podr\u00eda causar una denegaci\u00f3n de servicio. Al apuntar de manera agresiva a los endpoints de importaci\u00f3n de pads aleatorios con datos vac\u00edos, se aplanar\u00edan todos los pads debido a una falta de limitaci\u00f3n de velocidad y falta de comprobaci\u00f3n de propiedad"}], "id": "CVE-2020-22785", "lastModified": "2021-05-05T19:39:26.383", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-28T21:15:08.713", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/ether/etherpad-lite/pull/3833"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}