4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-21691

GHSA ID

GHSA-w9m4-7w72-r766

EPSS Score

0.36462%

CWE

CWE-306

Published

1/21/2022

Updated

10/7/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-21691

CVE-2022-21691: Improper Access Control in Onionshare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.

Vulnerability ID: OTF-004
Vulnerability type: Improper Access Control
Threat level: Moderate

Description:

Chat participants can spoof their channel leave message, tricking others into assuming they left the chatroom.

Technical description:

otf-004-a otf-004-b otf-004-c

This series of screenshots show Alice, Bob and Eve joined a chatroom and are the only participants in the chatroom. Eve seemingly leaves the chatroom, which leads Bob and Alice to believe they are having a private chat. The last screenshot shows that Eve only emitted the leave message and is still able to read the chat and possibly write messages.

This can be reproduced by joining the chat with two different instances, where one instance has slightly modified the client-side JavaScript code similar to OTF-003 (page 22). The joined emit needs to be removed from the connect event handler. Therefore the modified client is not listed in the userlist and has no active session. The modified non-listed user also needs to change their username to Eve, which is not shown in the chatroom. The modified client then emits the disconnect event and their connection is no longer usable.

This results in the leave message for Eve and the removal from the user-list but not in removal of the original session of the Eve who announced to join the chat.

Impact:

An adversary with access to the chat environment can spoof his leave event but still persist in the chat with access to all sent messages and the possibility to write in the chat using OTF-003 (page 22).

Recommendation:

Implement proper session handling

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-21691

GHSA ID

GHSA-w9m4-7w72-r766

EPSS Score

0.36462%

CWE

CWE-306

Published

1/21/2022

Updated

10/7/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
onionshare-cli	pip	>= 2.3, < 2.5	2.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability reports and references do not contain specific code snippets, file paths, or function names that would allow confident identification of vulnerable functions. The technical description references client-side JavaScript modifications and server-side session handling issues, but:

No actual code or commit diffs are provided in the advisory materials
The GitHub release notes only mention general 'hardening improvements for session and username management'
The CWE-306 classification suggests missing authentication in critical functions, but without code context we can't map this to specific functions
The attack involves event emission patterns (connect/disconnect handling) rather than specific named functions While the vulnerability clearly exists in chat session management logic, the available public documentation lacks the implementation details needed to identify exact vulnerable functions with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**tw**n S*pt*m**r **, **** *n* O*to**r *, ****, [R**i**lly Op*n S**urity](*ttps://www.r**i**llyop*ns**urity.*om/) *on*u*t** * p*n*tr*tion t*st o* OnionS**r* *.*, *un*** *y t** Op*n T***nolo*y *un*'s [R** T**m l**](*ttps://www.op*nt***.*un*/l**s/r**-t

Reasoning

T** provi*** vuln*r**ility r*ports *n* r***r*n**s *o not *ont*in sp**i*i* *o** snipp*ts, *il* p*t*s, or *un*tion n*m*s t**t woul* *llow *on*i**nt i**nti*i**tion o* vuln*r**l* *un*tions. T** t***ni**l **s*ription r***r*n**s *li*nt-si** J*v*S*ript mo*i

4.3

Basic Information

Concerned about an active attack path?

CVE-2022-21691: Improper Access Control in Onionshare

Description:

Technical description:

Impact:

Recommendation:

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI