Impact
This allowed a malicious user to fetch internal and private information from a logged user in readthedocs.org
/readthedocs.com
by creating a malicious site hosted on readthedocs.io
/readthedocs-hosted.com
or from any custom domain registered in the platform.
It would have required the attacker to get a logged in user to visit an attacker controlled web page, which could then have made GET
API requests on behalf of the user. This vulnerability was found by our team as part of a routine security audit, and there is no indication it was exploited.
Patches
This issue has been patched in our 5.19.0
release. If you are using a self-hosted instance, make sure to remove/change these settings:
# readthedocs/settings/base.py
CORS_ORIGIN_REGEX_WHITELIST = [] # or remove
# Additional protection to allow only idempotent methods.
CORS_ALLOW_METHODS = [
'GET',
'OPTIONS',
'HEAD',
]
For more information
If you have any questions or comments about this advisory:
Impact
This allowed a malicious user to fetch internal and private information from a logged user in
readthedocs.org
/readthedocs.com
by creating a malicious site hosted onreadthedocs.io
/readthedocs-hosted.com
or from any custom domain registered in the platform.It would have required the attacker to get a logged in user to visit an attacker controlled web page, which could then have made
GET
API requests on behalf of the user. This vulnerability was found by our team as part of a routine security audit, and there is no indication it was exploited.Patches
This issue has been patched in our
5.19.0
release. If you are using a self-hosted instance, make sure to remove/change these settings:For more information
If you have any questions or comments about this advisory: