Impact
This vulnerability could potentially allow a malicious user to redirect a user to an external site given a link of the form https://docs.example.com/en/latest/%0D/atacker-site.com/
. For this to work, the project must have an exact redirect with /:splat
in to_url
.
On Read the Docs community (readthedocs.io and custom domains) the impact is almost null, and on Read the Docs for Business (readthedocs-hosted.com and custom domains), it could have been used to intercept a CAS session ticket, this ticket alone can't be used to get a session, the only information that this ticket may provide is the username of the user.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This vulnerability has been patched in our 10.17.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP).
Impact
This vulnerability could potentially allow a malicious user to redirect a user to an external site given a link of the form
https://docs.example.com/en/latest/%0D/atacker-site.com/
. For this to work, the project must have an exact redirect with/:splat
into_url
.On Read the Docs community (readthedocs.io and custom domains) the impact is almost null, and on Read the Docs for Business (readthedocs-hosted.com and custom domains), it could have been used to intercept a CAS session ticket, this ticket alone can't be used to get a session, the only information that this ticket may provide is the username of the user.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This vulnerability has been patched in our 10.17.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP).