Joplin 2.8.8 Remote Command Execution via Malicious Markdown (CVE-2022-40277)

Key Information Vulnerability Name: Joplin 2.8.8 - Remote Command Execution CVE ID: CVE-2022-40277 Severity: 7.7 (High) Discoverer: Carlos Bello, Offensive Team, Fluid Attacks Discovery Date: September 7, 2022 Disclosure Date: September 26, 2022 Affected Product: Joplin Affected Version: 2.8.8 Vulnerability Description Joplin version 2.8.8 contains a remote command execution vulnerability. Attackers can exploit malicious markdown files containing links to execute arbitrary commands remotely on any client that opens the file. This occurs because the application fails to properly validate the pattern/protocol of existing links in markdown files before passing them to the function. Exploitation Conditions To achieve remote command execution, attackers must exploit specific patterns/protocols. These patterns/protocols behave differently across operating systems. For example, on Xubuntu 20.04 (Xfce), attackers can trigger automatic execution of a file mounted from a remote location. Other Linux distributions do not execute these files by default. Exploitation Method To exploit this vulnerability, an attacker must send the following files to the victim, who then opens them with Joplin: exploit.md: The parameter in the payload.desktop file can contain any command the attacker wishes to execute. Proof of Exploitation Evidence images demonstrating successful exploitation of the vulnerability by attackers have been provided. Mitigation No patch is currently available to fix this vulnerability. Timeline September 7, 2022: Vulnerability discovered September 8, 2022: Vendor notified September 26, 2022: Public disclosure System Information Joplin Version: 2.8.8 Operating System: GNU/Linux - Xubuntu 20.04 (Xfce)

Goal Reached Thanks to every supporter — we hit 100%!

Joplin 2.8.8 Remote Command Execution via Malicious Markdown (CVE-2022-40277)