CVE-2021-41868: 
Python vulnerability analysis and mitigation

OnionShare 2.3 before version 2.4 contains a vulnerability that allows remote unauthenticated attackers to upload files on a non-public node when using the --receive functionality. The vulnerability, tracked as CVE-2021-41868, was discovered in October 2021 and affects the file sharing capabilities of the OnionShare platform, which is designed for secure and anonymous file sharing over the Tor network (IHTeam Blog, Debian Tracker).

The vulnerability exists in the receive_mode.py file of OnionShare, where the application initiates the upload process before checking for Flask HTTPAuth. This implementation flaw allows attackers to bypass the Basic Authorization that is normally required in non-public mode, where the system generates a random username and password at startup (IHTeam Blog).

The vulnerability allows unauthorized users to upload files to OnionShare instances that are configured in non-public mode, effectively bypassing the authentication mechanism. This poses a significant security risk as it undermines the platform's access control system, particularly concerning for journalists and users in oppressed countries who rely on OnionShare for secure file sharing (IHTeam Blog).

The vulnerability has been fixed in OnionShare version 2.4. Users running affected versions (2.3 through 2.3.3) should upgrade to version 2.4 or later to protect against unauthorized file uploads. The fix was implemented by properly enforcing authentication checks before allowing file uploads (Debian Tracker).