CVE-2022-21696 – onionshare-cli

Package

Manager: pip
Name: onionshare-cli
Vulnerable Version: >=2.3 <2.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00209 pctl0.4337

Details

Username spoofing in OnionShare Between September 26, 2021 and October 8, 2021, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's [Red Team lab](https://www.opentech.fund/labs/red-team-lab/). This is an issue from that penetration test. - Vulnerability ID: OTF-005 - Vulnerability type: Improper Input Sanitization - Threat level: Low ## Description: It is possible to change the username to that of another chat participant with an additional space character at the end of the name string. ## Technical description: Assumed users in Chat: - Alice - Bob - Mallory 1. Mallory renames to `Alice `. 2. Mallory sends message as `Alice `. 3. Alice and Bob receive a message from Mallory disguised as `Alice `, which is hard to distinguish from the `Alice` in the web interface. ![otf-005-a](https://user-images.githubusercontent.com/156128/140666112-8febd4d8-6761-41aa-955c-48be76f3c657.png) ![otf-005-b](https://user-images.githubusercontent.com/156128/140666113-1713ddf7-cef6-4dac-b718-9af1dc4ffdcd.png) Other (invisible) whitespace characters were found to be working as well. ## Impact: An adversary with access to the chat environment can use the rename feature to impersonate other participants by adding whitespace characters at the end of the username. ## Recommendation: - Remove non-visible characters from the username

Metadata

Created: 2022-01-21T23:20:14Z
Modified: 2024-10-08T12:39:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-68vr-8f46-vc9f/GHSA-68vr-8f46-vc9f.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-68vr-8f46-vc9f
Finding: F184
Auto approve: 1