Main Vulnerability Database SB2021120932

SB2021120932 - Improper Validation of Specified Type of Input in Etherpad

Published: December 9, 2021 Updated: April 17, 2026

Security Bulletin ID SB2021120932

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Validation of Specified Type of Input (CVE-ID: CVE-2021-43802)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper authorization in the *.etherpad import handling functionality when importing a crafted *.etherpad file. A remote user can import a specially crafted *.etherpad file to execute arbitrary code.

Exploitation to gain administrative privileges requires deleted or cleaned-up express-session state, such as via a plugin that deletes session state or a custom cleanup process. Even if access to /admin/* pages is blocked by a reverse proxy, the issue can still be used to crash Etherpad or bypass authorization checks to access restricted pads.

Remediation

Install update from vendor's website.

References

https://github.com/ether/etherpad-lite/security/advisories/GHSA-w3g3-qf3g-2mqc