CVE-2020-8902

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-8902

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8902.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-8902

Aliases

GHSA-xr9h-9m79-x29g

Published

2021-02-23T12:15:12.600Z

Modified

2026-03-14T10:36:06.187400Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.0, or, if you cannot update, to secure the infrastructure to limit the headless chrome's access to your internal domain.

References

https://github.com/GoogleChrome/rendertron/releases/tag/3.0.0

Affected packages

Git / github.com/googlechrome/rendertron

Affected ranges

Type

GIT

Repo

https://github.com/googlechrome/rendertron

Events

Introduced

Fixed

8951beb3890b44a479676f128eb4c77857db6d8c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.0.0"
        }
    ]
}

Affected versions

rendertron-middleware@0.*

rendertron-middleware@0.1.3

rendertron-middleware@0.1.4

rendertron-middleware@0.1.5

v1.*

v1.1.0

v2.*

v2.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8902.json"