Rendertron 1.0.0 includes an _ah/stop
route to shutdown the Chrome instance responsible for serving render requests to all users. Visiting this route with a GET request allows any unauthorized remote attacker to disable the core service of the application.
{ "github_reviewed_at": "2020-06-16T20:58:46Z", "cwe_ids": [ "CWE-284" ], "nvd_published_at": null, "severity": "HIGH", "github_reviewed": true }