Impact
This vulnerability could potentially allow a malicious user to serve arbitrary content on documentation sites they don't own.
This was possible by tricking our code into temporarily serving documentation from other projects in the domain of other projects with a crafted request, and then our CDN caching that response for all users.
Users of https://readthedocs.org/ and https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade. If you are using a CDN, you may be affected by this vulnerability.
Patches
This vulnerability has been patched in our 9.5.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP)
stsewd Analyst
Impact
This vulnerability could potentially allow a malicious user to serve arbitrary content on documentation sites they don't own.
This was possible by tricking our code into temporarily serving documentation from other projects in the domain of other projects with a crafted request, and then our CDN caching that response for all users.
Users of https://readthedocs.org/ and https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade. If you are using a CDN, you may be affected by this vulnerability.
Patches
This vulnerability has been patched in our 9.5.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP)