Skip to content

Open Redirect Issue affecting Read the Docs versions before 3.5.1

low
davidfischer published GHSA-2mw9-4c46-qrcv Jun 11, 2019 · 1 comment

Package

No package listed

Affected versions

< 3.5.1

Patched versions

3.5.1

Description

Impact

Read the Docs 3.5.1 fixes an issue where that affected projects with "prefix" or "sphinx" user-defined redirects. The issue allowed the creation of hyperlinks that looked like they would go to a documentation domain on Read the Docs (either *.readthedocs.io or a custom docs domain) but instead went to a different domain.

This issue was reported by Peter Thomassen and the desec.io DNS security project and was funded by SSE.

Patches

The problem has been fixed and deployed on readthedocs.org. For users who depend on the Read the Docs code line for a private instance of Read the Docs, you are encouraged to update to 3.5.1 as soon as possible.

For more information

If you have any questions or comments about this advisory:

GHSA ID

GHSA-2mw9-4c46-qrcv

Credits