CVE-2022-24837

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-24837

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24837.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-24837

Aliases

GHSA-q6vv-2q26-j7rx

Published

2022-04-11T20:20:26Z

Modified

2025-10-30T20:04:08.923641Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Enumerable upload file names in hedgedoc

Details

HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Images uploaded with HedgeDoc version 1.9.1 and later have an enumerable filename after the upload, resulting in potential information leakage of uploaded documents. This is especially relevant for private notes and affects all upload backends, except Lutim and imgur. This issue is patched in version 1.9.3 by replacing the filename generation with UUIDv4. If you cannot upgrade to HedgeDoc 1.9.3, it is possible to block POST requests to /uploadimage, which will disable future uploads.

Database specific

{
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

Git / github.com/hedgedoc/hedgedoc

Affected ranges

Type: GIT
Repo: https://github.com/hedgedoc/hedgedoc
Events: Introduced

d676008ff7869dc51d7c9b417d22daf3bb799be2

Fixed

7f09558b58a87b6615a5d28982586e352345ef38

Affected versions

1.*

1.9.1

1.9.2