CVE-2021-32744
📋 TL;DR
CVE-2021-32744 is an Insecure Direct Object Reference (IDOR) vulnerability in Collabora Online that allows unauthenticated attackers to access files currently opened by other users by guessing file identifiers. This affects all users of Collabora Online versions before 4.2.17-1 and 6.4.9-5. The vulnerability enables unauthorized access to sensitive documents being edited in real-time.
💻 Affected Systems
- Collabora Online
📦 What is this software?
Online by Collabora
Online by Collabora
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to sensitive business documents, intellectual property, or confidential data being edited by other users, potentially leading to data breaches, corporate espionage, or regulatory violations.
Likely Case
Unauthorized access to documents being actively edited, potentially exposing sensitive information, meeting notes, financial data, or proprietary content to attackers.
If Mitigated
With proper access controls and network segmentation, impact is limited to documents accessible within the compromised user's permissions, but sensitive documents could still be exposed.
🎯 Exploit Status
Exploitation requires guessing file identifiers; complexity depends on predictability of identifiers in specific deployments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.17-1 and 6.4.9-5
Vendor Advisory: https://github.com/CollaboraOnline/online/security/advisories/GHSA-32xj-9x82-q9jw
Restart Required: Yes
Instructions:
1. Backup your Collabora Online installation and configuration. 2. Update to version 4.2.17-1 or 6.4.9-5 using your package manager. 3. Restart the Collabora Online service. 4. Verify the update was successful.
🔧 Temporary Workarounds
No official workaround available
allVendor states there is no known workaround except updating to patched versions
🧯 If You Can't Patch
- Implement strict network access controls to limit Collabora Online exposure to trusted networks only
- Monitor for unusual access patterns to file identifiers and implement rate limiting on file access requests
🔍 How to Verify
Check if Vulnerable:
Check Collabora Online version; if below 4.2.17-1 or 6.4.9-5, system is vulnerableCheck Version:
collabora-online --version or check package manager (apt list --installed | grep collabora or yum list installed | grep collabora)Verify Fix Applied:
Verify version is 4.2.17-1 or 6.4.9-5 or higher, and test that unauthenticated file access attempts are properly rejected📡 Detection & Monitoring
Log Indicators:
- Multiple failed attempts to access file identifiers
- Unauthenticated requests to file access endpoints
- Access to file identifiers outside normal patterns
Network Indicators:
- Unusual spikes in requests to Collabora Online file endpoints
- Requests from unexpected IP addresses to file access URLs
SIEM Query:
source="collabora_logs" AND (http_status=200 OR http_status=403) AND uri_path CONTAINS "/lool/" AND user_agent!="Collabora Online"