Impact
This vulnerability could potentially allow a malicious user to access any files that our application has read access to.
Exploiting this vulnerability requires creating symlinks that pointed to files outside a project root.
Users of https://readthedocs.org/ and https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs of intrusion in our systems, or that this vulnerability was exploited.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade, and rotate any secrets you may have in your build servers like the ones in your Django setting files.
We also generally recommend build servers only have API access and not direct database access, which is how our servers are configured in production.
Patches
This issue has been patched in our 9.1.0 release.
References
For more information
If you have any questions or comments about this advisory:
stsewd Analyst
Impact
This vulnerability could potentially allow a malicious user to access any files that our application has read access to.
Exploiting this vulnerability requires creating symlinks that pointed to files outside a project root.
Users of https://readthedocs.org/ and https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs of intrusion in our systems, or that this vulnerability was exploited.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade, and rotate any secrets you may have in your build servers like the ones in your Django setting files.
We also generally recommend build servers only have API access and not direct database access, which is how our servers are configured in production.
Patches
This issue has been patched in our 9.1.0 release.
References
For more information
If you have any questions or comments about this advisory: