CVE-2022-24837: 
NixOS vulnerability analysis and mitigation

HedgeDoc, an open-source, web-based, self-hosted, collaborative markdown editor, was found to have a vulnerability in versions 1.9.1 and later (prior to 1.9.3). The vulnerability (CVE-2022-24837) involves enumerable filenames after image uploads, which could potentially lead to information leakage of uploaded documents. This issue particularly affects private notes and impacts all upload backends except Lutim and imgur (GitHub Advisory).

The vulnerability stems from a change in behavior between versions 1 and 2 of the formidable package, which HedgeDoc uses for file uploads. In version 2, formidable generates predictable filenames by default, making uploaded files enumerable. Files generated during the vulnerable period follow a predictable pattern (e.g., 38e56506ec2dcab52e9282c00.jpg, 38e56506ec2dcab52e9282c01.jpg). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory, NVD).

The vulnerability could lead to unauthorized access to uploaded documents, particularly affecting private notes. The predictable nature of the filenames makes it possible for attackers to enumerate and potentially access uploaded files, compromising the confidentiality of sensitive information (GitHub Advisory).

The vulnerability was patched in HedgeDoc version 1.9.3 by replacing the filename generation with UUIDv4, resulting in unpredictable filenames (e.g., a67f36b8-9afb-43c2-9ef2-a567a77d8628.jpg). For users unable to upgrade to version 1.9.3, a workaround is available by blocking POST requests to /uploadimage, which will disable future uploads (GitHub Advisory, GitHub Commit).

The vulnerability was responsibly disclosed by Matias from NCSC-FI (National Cyber Security Centre Finland), demonstrating effective collaboration between security researchers and the open-source community (GitHub Advisory).