Impact
This vulnerability could allow an attacker to link a project he controls to any repository (even if the attacker doesn't have access to it) by using the import functionality of API V3. Linking a project to a repository doesn't grant access to the repository or allows changing the repository in any way.
The open source community version of Read the Docs (https://readthedocs.org/) isn't affected by this vulnerability, as the impact is null. While in Read the Docs for Business (https://readthedocs.com) linking a project to a repository can be used to grant a user access to that project controlled by the attacker without the user accepting an invitation, this can be used to carry an attack a similar to GHSA-4mgr-vrh5-hj8q. Note that this doesn't allow the attacker to give himself access to a project.
Users do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed. This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
This vulnerably doesn't have any impact in the open source version on Read the Docs, so custom installations aren't affected.
Patches
This vulnerability has been patched with our 11.3.1 release.
References
For more information
If you have any questions or comments about this advisory, email us at [email protected] (PGP).
stsewd Reporter
Impact
This vulnerability could allow an attacker to link a project he controls to any repository (even if the attacker doesn't have access to it) by using the import functionality of API V3. Linking a project to a repository doesn't grant access to the repository or allows changing the repository in any way.
The open source community version of Read the Docs (https://readthedocs.org/) isn't affected by this vulnerability, as the impact is null. While in Read the Docs for Business (https://readthedocs.com) linking a project to a repository can be used to grant a user access to that project controlled by the attacker without the user accepting an invitation, this can be used to carry an attack a similar to GHSA-4mgr-vrh5-hj8q. Note that this doesn't allow the attacker to give himself access to a project.
Users do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed. This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
This vulnerably doesn't have any impact in the open source version on Read the Docs, so custom installations aren't affected.
Patches
This vulnerability has been patched with our 11.3.1 release.
References
For more information
If you have any questions or comments about this advisory, email us at [email protected] (PGP).