CVE-2023-49788
📋 TL;DR
This vulnerability in Collabora Online's Built-in CODE Server allows attackers to overwrite files outside the designated session directory by sending modified client-server commands. It affects users running vulnerable versions of the richdocumentscode app without chroot sandboxing. The impact is limited to files accessible by the server process.
💻 Affected Systems
- Collabora Online - Built-in CODE Server (richdocumentscode)
📦 What is this software?
Richdocumentscode by Collaboraoffice
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the server through arbitrary file writes, potentially leading to remote code execution, data destruction, or privilege escalation.
Likely Case
Unauthorized file modification or deletion within the server's accessible file system, potentially disrupting service or altering configuration files.
If Mitigated
Limited impact if server runs with minimal permissions and file system access is restricted, though file writes could still occur within allowed directories.
🎯 Exploit Status
Exploitation requires sending modified client-server commands but no authentication is needed. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.5.602
Vendor Advisory: https://github.com/CollaboraOnline/online/security/advisories/GHSA-3r69-xvf7-v94j
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Update richdocumentscode app to version 23.5.602 or later via your package manager or app update mechanism. 3. Restart the Collabora Online service. 4. Verify the update was successful.
🔧 Temporary Workarounds
No workarounds available
allThe vendor states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Isolate the Collabora Online server from untrusted networks using firewall rules
- Implement strict file system permissions and run the server with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check the richdocumentscode app version. If it's earlier than 23.5.602, the system is vulnerable.Check Version:
Check via your package manager (e.g., 'apt list --installed | grep richdocumentscode' on Debian/Ubuntu) or app management interface.Verify Fix Applied:
Confirm the richdocumentscode app version is 23.5.602 or later and verify the service is running properly.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations outside session directories
- Abnormal client command patterns
- Permission denied errors for unexpected file paths
Network Indicators:
- Unusual traffic patterns to Collabora Online server
- Modified protocol commands in network captures
SIEM Query:
source="collabora_logs" AND (event_type="file_write" AND NOT path:"/tmp/richdocumentscode-session-*")