Login Sign Up

CVE-2020-22782

7.5 HIGH
Denial of Service

📋 TL;DR

Etherpad versions before 1.8.3 contain a denial of service vulnerability in the import functionality. Attackers can crash Etherpad instances by uploading binary files to the import endpoint. This affects all organizations running vulnerable Etherpad instances, particularly those with public-facing installations.

💻 Affected Systems

Products:
  • Etherpad
  • Etherpad Lite
Versions: All versions < 1.8.3
Operating Systems: All platforms running Etherpad
Default Config Vulnerable: ⚠️ Yes
Notes: All standard installations with import functionality enabled are vulnerable. The import endpoint is typically accessible at /p/[pad]/import.

📦 What is this software?

Etherpad by Etherpad

View all CVEs affecting Etherpad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption making Etherpad unavailable to all users until manual restart, potentially causing data loss for unsaved changes.

🟠

Likely Case

Temporary service outage requiring administrator intervention to restart the Etherpad service, disrupting collaborative editing sessions.

🟢

If Mitigated

No impact if proper input validation and file type restrictions are implemented at the web application firewall or reverse proxy layer.

🌐 Internet-Facing: HIGH - Public instances are directly accessible to attackers who can trigger the DoS without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this vulnerability to disrupt collaboration tools.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit requires only a simple HTTP POST request with a binary file payload to the import endpoint. No authentication is required by default.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.3 and later

Vendor Advisory: https://github.com/ether/etherpad-lite/issues/3825

Restart Required: Yes

Instructions:

1. Backup your Etherpad data and configuration. 2. Update Etherpad to version 1.8.3 or later using your package manager or by downloading from GitHub. 3. Restart the Etherpad service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Import Functionality

all

Temporarily disable the import endpoint to prevent exploitation while planning the upgrade.

Modify settings.json to set "requireAuthentication" to true for import operations or disable the import module entirely

WAF/Reverse Proxy Filtering

all

Block binary file uploads to the import endpoint at the network perimeter.

Configure your web application firewall or reverse proxy to block requests with binary content-types to /p/*/import endpoints

🧯 If You Can't Patch

  • Implement strict file type validation at the application layer to reject binary uploads
  • Place Etherpad behind a reverse proxy with request filtering for binary content

🔍 How to Verify

Check if Vulnerable:

Check your Etherpad version. If it's below 1.8.3, you are vulnerable. Also test by attempting to upload a binary file to the import endpoint.

Check Version:

Check the Etherpad admin page or run: node src/node/server.js --version

Verify Fix Applied:

After updating to 1.8.3+, attempt to upload a binary file to the import endpoint. The system should reject it gracefully without crashing.

📡 Detection & Monitoring

Log Indicators:

  • Multiple import requests with binary files
  • Etherpad process crashes or restarts
  • Error logs showing import failures with binary data

Network Indicators:

  • HTTP POST requests to /p/*/import with binary content-type headers
  • Unusual spikes in import endpoint traffic

SIEM Query:

source="etherpad.log" AND ("import" AND "binary" OR "crash" OR "restart")

📊 Metadata

CVE ID: CVE-2020-22782
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: April 28, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON