Impact
This vulnerability could potentially allow a malicious user to get some private information about a user account like: username, name, and audit logs.
Exploiting this would have required an attacker to get a logged-in user to visit a malicious URL, after visiting that URL, the content of that page would have been cached for all users in our CDN, allowing the attacker to retrieve that private content.
This URL would have looked something like https://readthedocs.org/accounts/security-log/ext.js, where ext.js could have been any path ending with any of the extensions from https://developers.cloudflare.com/cache/about/default-cache-behavior/#default-cached-file-extensions.
This vulnerability requires the use of a CDN to be exploited, so it was present in our https://readthedocs.org site only, https://readthedocs.com doesn't make use of a CDN, so it wasn't affected. Users of https://readthedocs.org/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed. Our CDN doesn't cache cookies, so user's sessions are safe.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade. If you are using a CDN that automatically caches resources based on its extension, you are probably affected by this vulnerability, and if your CDN caches cookies, your user's sessions could have been compromised.
Patches
This vulnerability has been patched in our 9.2.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP)
stsewd Analyst
Impact
This vulnerability could potentially allow a malicious user to get some private information about a user account like: username, name, and audit logs.
Exploiting this would have required an attacker to get a logged-in user to visit a malicious URL, after visiting that URL, the content of that page would have been cached for all users in our CDN, allowing the attacker to retrieve that private content.
This URL would have looked something like
https://readthedocs.org/accounts/security-log/ext.js, whereext.jscould have been any path ending with any of the extensions from https://developers.cloudflare.com/cache/about/default-cache-behavior/#default-cached-file-extensions.This vulnerability requires the use of a CDN to be exploited, so it was present in our https://readthedocs.org site only, https://readthedocs.com doesn't make use of a CDN, so it wasn't affected. Users of https://readthedocs.org/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed. Our CDN doesn't cache cookies, so user's sessions are safe.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade. If you are using a CDN that automatically caches resources based on its extension, you are probably affected by this vulnerability, and if your CDN caches cookies, your user's sessions could have been compromised.
Patches
This vulnerability has been patched in our 9.2.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP)