Vulnerability Note VU#302668
ShareLaTeX vulnerable to remote command execution and information disclosure
Overview
ShareLaTeX is a server-based software allowing group collaboration on LaTeX documents. ShareLaTeX prior to version 0.1.3 has been found to be vulnerable to command injections and information disclosure.
Description
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2015-0933 ShareLaTeX 0.1.3 and previous versions allow a remote user to obtain information about other users or the server on which ShareLaTeX is installed by allowing a user to \include{} any valid absolute path name in the document, which is then forwarded to the latex process. When processed, the output document will contain the contents of the file specified. |
Impact
CVE-2015-0933 allows a remote authenticated user to obtain information about other users or the server on which ShareLaTeX is installed. This information can include information like user accounts, which may be used to mount further attacks against the server. |
Solution
Apply an update |
Change LaTeX configuration |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
ShareLaTeX | Affected | - | 03 Mar 2015 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:N |
Temporal | 5.0 | E:POC/RL:OF/RC:C |
Environmental | 1.3 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
- https://github.com/sharelatex/sharelatex/wiki/Production-Installation-Instructions#securing-latex
- https://github.com/sharelatex/sharelatex/tree/v0.1.3
- https://www.pressestelle.tu-berlin.de/menue/tub-medien/publications/press_releases/2015/maerz_2015/media_information_no_46_e/parameter/en/
Credit
Thanks to Tobias Fiebig for reporting this vulnerability.
This document was written by Garret Wassermann.
Other Information
- CVE IDs: CVE-2015-0933 CVE-2015-0934
- Date Public: 02 Mar 2015
- Date First Published: 03 Mar 2015
- Date Last Updated: 03 Mar 2015
- Document Revision: 44
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.