CVE-2023-38487: 
NixOS vulnerability analysis and mitigation

HedgeDoc, a software for creating real-time collaborative markdown notes, was found to contain a vulnerability (CVE-2023-38487) prior to version 1.9.9. The vulnerability allows users to create notes with an alias matching the ID of existing notes, effectively hiding the original notes. This vulnerability was discovered and disclosed in August 2023, affecting all versions of HedgeDoc up to version 1.9.8 (GitHub Advisory).

The vulnerability exists in the API of HedgeDoc 1 when the freeURL feature is enabled (via allowFreeURL config option or CMD_ALLOW_FREEURL environment variable set to true). Users with appropriate permissions can make a POST request to the /new/ API endpoint, where the parameter can be set to match an existing note's ID. The system failed to verify whether the provided value corresponded to a valid ID of an existing note. When accessing the note, HedgeDoc searches for a note with a matching alias before searching by ID, resulting in only the new note being accessible (GitHub Advisory, NVD). The vulnerability has been assigned a CVSS v3.1 base score of 8.2 HIGH by NVD.

The vulnerability's impact varies depending on the instance's permission settings. Attackers with knowledge of a target note's ID could present manipulated copies of original notes to users, potentially replacing links with malicious ones. Additionally, attackers could prevent access to original notes, causing a denial of service. However, no data loss occurs as the original content remains in the database (GitHub Advisory).

The vulnerability was patched in version 1.9.9 with improved already-exist checks in note creation. For users unable to upgrade, two workarounds are available: 1) Disable freeURL mode to prevent exploitation, or 2) Limit the impact by restricting freeURL note creation to trusted, logged-in users by enabling requireFreeURLAuthentication/CMD_REQUIRE_FREEURL_AUTHENTICATION (GitHub Advisory).