Impact
This vulnerability could potentially allow a malicious user to use the API v2 to create, update, and delete any projects on the community version of Read the Docs (readthedocs.org). On Read the Docs for Business (readthedocs.com) the malicious user needs to belong to the organization of the target project in order to exploit this vulnerability (to any team of the organization with at least read only access).
Users of https://readthedocs.org/ and https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This vulnerability has been patched in our 9.14.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at [email protected] (PGP)
stsewd Finder
Impact
This vulnerability could potentially allow a malicious user to use the API v2 to create, update, and delete any projects on the community version of Read the Docs (readthedocs.org). On Read the Docs for Business (readthedocs.com) the malicious user needs to belong to the organization of the target project in order to exploit this vulnerability (to any team of the organization with at least read only access).
Users of https://readthedocs.org/ and https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This vulnerability has been patched in our 9.14.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at [email protected] (PGP)