CVE-2022-21690

NameCVE-2022-21690
DescriptionOnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions The path parameter of the requested URL is not sanitized before being passed to the QT frontend. This path is used in all components for displaying the server access history. This leads to a rendered HTML4 Subset (QT RichText editor) in the Onionshare frontend.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1014966

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
onionshare (PTS)buster1.3.2-1fixed
bullseye2.2-3+deb11u1fixed
bookworm2.6-5~deb12u1fixed
sid, trixie2.6-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
onionsharesourcebuster(not affected)
onionsharesourcebullseye2.2-3+deb11u1
onionsharesource(unstable)2.5-11014966

Notes

[buster] - onionshare <not-affected> (Vulnerable code introduced later in v2.0)
https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq
https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0 (v2.5)

Search for package or bug name: Reporting problems