Login Sign Up

CVE-2018-9845

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2018-9845 is an authentication bypass vulnerability in Etherpad Lite that allows unauthenticated attackers to gain administrative access. This affects all Etherpad Lite instances running versions before 1.6.4. Attackers can take full control of the application and potentially compromise the underlying server.

💻 Affected Systems

Products:
  • Etherpad Lite
Versions: All versions before 1.6.4
Operating Systems: All platforms running Etherpad Lite
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Etherpad Lite by Etherpad

View all CVEs affecting Etherpad Lite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Etherpad instance, data theft/manipulation, and potential server takeover through subsequent attacks.

🟠

Likely Case

Unauthorized administrative access leading to data manipulation, user impersonation, and disruption of collaborative editing sessions.

🟢

If Mitigated

Limited impact if network segmentation and strict access controls prevent external exploitation attempts.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exploitable by any attacker without authentication.
🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request manipulation can trigger the vulnerability. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.4

Vendor Advisory: https://github.com/ether/etherpad-lite/blob/develop/CHANGELOG.md

Restart Required: Yes

Instructions:

1. Backup your Etherpad data and settings. 2. Update to Etherpad Lite 1.6.4 or later using npm: 'npm update etherpad-lite'. 3. Restart the Etherpad service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Etherpad instances using firewall rules

iptables -A INPUT -p tcp --dport 9001 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 9001 -j DROP

Reverse Proxy with Authentication

all

Place Etherpad behind a reverse proxy with authentication requirements

🧯 If You Can't Patch

  • Isolate Etherpad instances in a separate network segment with strict access controls
  • Implement web application firewall rules to block suspicious authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check Etherpad version via web interface or by examining package.json file

Check Version:

grep version /path/to/etherpad/package.json

Verify Fix Applied:

Confirm version is 1.6.4 or later and test authentication functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual admin login attempts from unexpected IPs
  • Multiple failed authentication attempts followed by successful admin access

Network Indicators:

  • HTTP requests manipulating authentication parameters
  • Traffic patterns showing admin access from unauthenticated sources

SIEM Query:

source="etherpad.log" AND ("admin" OR "authentication") AND status="200" AND user="anonymous"

📊 Metadata

CVE ID: CVE-2018-9845
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-178
Published: April 29, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-9845, you might also want to check these:

CVE-2020-12812 9.8

This vulnerability allows attackers to bypass two-factor authentication in FortiOS SSL VPN by changi...

Same vulnerability type (CWE-178)
CVE-2022-29604 9.8

This vulnerability in ONOS (Open Network Operating System) causes improper handling of case sensitiv...

Same vulnerability type (CWE-178)
CVE-2023-3545 9.8

This vulnerability allows unauthenticated attackers to bypass file upload security in Chamilo LMS on...

Same vulnerability type (CWE-178)