PYSEC-2022-43
Vulnerability from pysec - Published: 2022-01-18 23:15 - Updated: 2022-03-09 00:16
VLAI?
Details
OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions anyone with access to the chat environment can write messages disguised as another chat participant.
Impacted products
| Name | purl | onionshare-cli | pkg:pypi/onionshare-cli |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "onionshare-cli",
"purl": "pkg:pypi/onionshare-cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.3",
"2.3.1",
"2.3.2",
"2.3.3"
]
}
],
"aliases": [
"CVE-2022-21692",
"GHSA-gjj5-998g-v36v"
],
"details": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions anyone with access to the chat environment can write messages disguised as another chat participant.",
"id": "PYSEC-2022-43",
"modified": "2022-03-09T00:16:43.273792Z",
"published": "2022-01-18T23:15:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v"
},
{
"type": "WEB",
"url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
}
]
}
GHSA-GJJ5-998G-V36V
Vulnerability from github – Published: 2022-01-21 23:20 – Updated: 2024-10-07 21:20
VLAI?
Summary
Improper Access Control in Onionshare
Details
Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.
- Vulnerability ID: OTF-003
- Vulnerability type: Improper Access Control
- Threat level: Moderate
Description:
Anyone with access to the chat environment can write messages disguised as another chat participant.
Technical description:
Prerequisites:
- Alice and Bob are legitimate users
- A third user has access to the chat environment
This screenshot shows Alice (glimpse-depress) and Bob (blinker-doorpost) joined a chatroom and are the only participants in the chatroom. Then the non-listed user squad-nursing writes a message in the chatroom without being visible in the list of users. The sending of the message itself is not required but was done here to show the initial access. The non-listed participant now renames himself to Bob and writes another message, seemingly coming from Bob.
This can be reproduced by slightly modifying the client-side JavaScript. The joined emit needs to be removed from the socket.on(connect)event handler. Therefore a client is not listed in the userlist and has no active session.
https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/resources/static/js/chat.js#L16-L18
This can be done either via a crafted client or runtime modification of the chat.js script in the browser's internal debugger.
It is still possible to call the text method and send text to the chat via websocket.
https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L131-L139
It is also possible to call the update_username function and choose an existing username from the chat.
https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L141-L162
Afterwards the hidden user can send messages that are displayed as coming from the impersonated user. There is no way to distinguish between the fake and original message.
Impact:
An adversary with access to the chat environment can impersonate existing chat participants and write messages but not read the conversation. The similar exploit described in OTF-004 (page 19) has only slightly more requirements but also allows for reading.
Recommendation:
- Implement proper session handling
Severity ?
4.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "onionshare-cli"
},
"ranges": [
{
"events": [
{
"introduced": "2.3"
},
{
"fixed": "2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-21692"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-19T19:20:26Z",
"nvd_published_at": "2022-01-18T23:15:00Z",
"severity": "MODERATE"
},
"details": "Between September 26, 2021 and October 8, 2021, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund\u0027s [Red Team lab](https://www.opentech.fund/labs/red-team-lab/). This is an issue from that penetration test.\n\n- Vulnerability ID: OTF-003\n- Vulnerability type: Improper Access Control\n- Threat level: Moderate\n\n## Description:\n\nAnyone with access to the chat environment can write messages disguised as another chat participant.\n\n## Technical description:\n\nPrerequisites:\n\n- Alice and Bob are legitimate users\n- A third user has access to the chat environment\n\n\n\nThis screenshot shows Alice (`glimpse-depress`) and Bob (`blinker-doorpost`) joined a chatroom and are the only participants in the chatroom. Then the non-listed user squad-nursing writes a message in the chatroom without being visible in the list of users. The sending of the message itself is not required but was done here to show the initial access. The non-listed participant now renames himself to Bob and writes another message, seemingly coming from Bob.\n\nThis can be reproduced by slightly modifying the client-side JavaScript. The `joined` emit needs to be removed from the `socket.on(connect) `event handler. Therefore a client is not listed in the userlist and has no active session.\n\nhttps://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/resources/static/js/chat.js#L16-L18\n\nThis can be done either via a crafted client or runtime modification of the `chat.js` script in the browser\u0027s internal debugger.\n\nIt is still possible to call the text method and send text to the chat via websocket.\n\nhttps://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L131-L139\n\nIt is also possible to call the `update_username` function and choose an existing username from the chat.\n\nhttps://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L141-L162\n\nAfterwards the hidden user can send messages that are displayed as coming from the impersonated user. There is no way to distinguish between the fake and original message.\n\n## Impact:\n\nAn adversary with access to the chat environment can impersonate existing chat participants and write messages but not read the conversation. The similar exploit described in OTF-004 (page 19) has only slightly more requirements but also allows for reading.\n\n## Recommendation:\n\n- Implement proper session handling",
"id": "GHSA-gjj5-998g-v36v",
"modified": "2024-10-07T21:20:07Z",
"published": "2022-01-21T23:20:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21692"
},
{
"type": "PACKAGE",
"url": "https://github.com/onionshare/onionshare"
},
{
"type": "WEB",
"url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/onionshare-cli/PYSEC-2022-43.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Improper Access Control in Onionshare"
}
CVE-2022-21692 (GCVE-0-2022-21692)
Vulnerability from cvelistv5 – Published: 2022-01-18 22:10 – Updated: 2025-04-22 18:33
VLAI?
Title
Improper Access Control in Onionshare
Summary
OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions anyone with access to the chat environment can write messages disguised as another chat participant.
Severity ?
4.3 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| onionshare | onionshare |
Affected:
< 2.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:53:34.717Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21692",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:52:15.078659Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:33:15.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "onionshare",
"vendor": "onionshare",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions anyone with access to the chat environment can write messages disguised as another chat participant."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-18T22:10:15.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v"
}
],
"source": {
"advisory": "GHSA-gjj5-998g-v36v",
"discovery": "UNKNOWN"
},
"title": "Improper Access Control in Onionshare",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21692",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control in Onionshare"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "onionshare",
"version": {
"version_data": [
{
"version_value": "\u003c 2.5"
}
]
}
}
]
},
"vendor_name": "onionshare"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions anyone with access to the chat environment can write messages disguised as another chat participant."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/onionshare/onionshare/releases/tag/v2.5",
"refsource": "MISC",
"url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
},
{
"name": "https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v",
"refsource": "CONFIRM",
"url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v"
}
]
},
"source": {
"advisory": "GHSA-gjj5-998g-v36v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-21692",
"datePublished": "2022-01-18T22:10:15.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:33:15.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…