Impact
This allowed a malicious user to fetch internal and private information from a logged user in readthedocs.org/readthedocs.com by creating a malicious site hosted on readthedocs.io/readthedocs-hosted.com or from any custom domain registered in the platform.
It would have required the attacker to get a logged in user to visit an attacker controlled web page, which could then have made GET API requests on behalf of the user. This vulnerability was found by our team as part of a routine security audit, and there is no indication it was exploited.
Patches
This issue has been patched in our 5.19.0 release. If you are using a self-hosted instance, make sure to remove/change these settings:
# readthedocs/settings/base.py
CORS_ORIGIN_REGEX_WHITELIST = [] # or remove
# Additional protection to allow only idempotent methods.
CORS_ALLOW_METHODS = [
'GET',
'OPTIONS',
'HEAD',
]For more information
If you have any questions or comments about this advisory:
stsewd Analyst
Impact
This allowed a malicious user to fetch internal and private information from a logged user in
readthedocs.org/readthedocs.comby creating a malicious site hosted onreadthedocs.io/readthedocs-hosted.comor from any custom domain registered in the platform.It would have required the attacker to get a logged in user to visit an attacker controlled web page, which could then have made
GETAPI requests on behalf of the user. This vulnerability was found by our team as part of a routine security audit, and there is no indication it was exploited.Patches
This issue has been patched in our
5.19.0release. If you are using a self-hosted instance, make sure to remove/change these settings:For more information
If you have any questions or comments about this advisory: