CVE-2020-14423: Convos 4.19 Generates a Predictable Secret
Convos is an open source web based irc client.
my $secret = Mojo::Util::md5_sum(join ':', $self->core->home->to_string, $<, $(, $0);
The secret is derived from the:
- Home directory of the application
- Real UID of the process
- Real GID of the process
- Name of the executed program.
local_secret will therefore be predictable when running under Docker, and
easily guessable on other platforms.
A remote attacker can possibly use a derived secret to create invite links or reset passwords for existing users.
Convos 4.19 and earlier are vulnerable.
Users should upgrade to Convos 4.20 or newer, and regenerate secrets for their installation.
- 2020-06-12: Vulnerability discovered, Vendor notified
- 2020-06-14: Patch created by vendor
- 2020-06-18: Version 4.20 released, CVE assigned.
Thanks to Jan Henning Thorsen for quickly fixing the vulnerability.
Vulnerability discovered by Stig Palmquist.