Impact
This vulnerability could allow an attacker to create an account with any email marked as verified without the need to verify that email, this doesn't allow the attacker to take over an already verified email. This was possible due to our application marking as verified all secondary emails from a GitHub account, even if they weren't verified by GitHub.
We have invalidated emails that were wrongly marked as verified, if your email was affected, you'll need to verify your email in order to use it next time you sign in. We have taken measures to ensure that the security issue is now fully fixed. This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was abused in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This vulnerability has been patched with our 11.20.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP).
stsewd Finder
Impact
This vulnerability could allow an attacker to create an account with any email marked as verified without the need to verify that email, this doesn't allow the attacker to take over an already verified email. This was possible due to our application marking as verified all secondary emails from a GitHub account, even if they weren't verified by GitHub.
We have invalidated emails that were wrongly marked as verified, if your email was affected, you'll need to verify your email in order to use it next time you sign in. We have taken measures to ensure that the security issue is now fully fixed. This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was abused in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This vulnerability has been patched with our 11.20.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP).