Impact
This vulnerability could potentially allow a malicious user to create integrations that don't require a payload validation for any project. This integration could have been used to trigger builds to existing versions, create external versions, and update the identifier of the project's default version under some circumstances.
We have migrated some of the webhooks automatically, and contacted users that have webhooks without a secret set that we weren't able to migrate automatically, so they can generate a secret for those webhooks. New webhooks, even manually created webhooks, will always be created with a shared secret set. The actions a webhook without a secret can do are now limited to trigger builds to existing versions, and support for them will be removed on January 31, 2024. You can read more about this at https://blog.readthedocs.com/security-update-on-incoming-webhooks/.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Special thanks to @daquinteroflex who brought this issue to our attention.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This vulnerability has been patched in our 10.11.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP).
stsewd Analyst
Impact
This vulnerability could potentially allow a malicious user to create integrations that don't require a payload validation for any project. This integration could have been used to trigger builds to existing versions, create external versions, and update the identifier of the project's default version under some circumstances.
We have migrated some of the webhooks automatically, and contacted users that have webhooks without a secret set that we weren't able to migrate automatically, so they can generate a secret for those webhooks. New webhooks, even manually created webhooks, will always be created with a shared secret set. The actions a webhook without a secret can do are now limited to trigger builds to existing versions, and support for them will be removed on January 31, 2024. You can read more about this at https://blog.readthedocs.com/security-update-on-incoming-webhooks/.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Special thanks to @daquinteroflex who brought this issue to our attention.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This vulnerability has been patched in our 10.11.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP).