CVE-2020-8902

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-8902
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8902.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-8902
Aliases
Published
2021-02-23T12:15:12.600Z
Modified
2025-11-20T11:31:49.159249Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.0, or, if you cannot update, to secure the infrastructure to limit the headless chrome's access to your internal domain.

References

Affected packages

Git / github.com/googlechrome/rendertron

Affected ranges

Type
GIT
Repo
https://github.com/googlechrome/rendertron
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8951beb3890b44a479676f128eb4c77857db6d8c

Affected versions

rendertron-middleware@0.*
rendertron-middleware@0.1.3
rendertron-middleware@0.1.4
rendertron-middleware@0.1.5
v1.*
v1.1.0
v2.*
v2.0.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8902.json"