GHSA-xr9h-9m79-x29g

Source

https://github.com/advisories/GHSA-xr9h-9m79-x29g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-xr9h-9m79-x29g/GHSA-xr9h-9m79-x29g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xr9h-9m79-x29g

Aliases

CVE-2020-8902

Published

2021-03-01T19:38:23Z

Modified

2023-11-08T04:04:19.095906Z

Summary

SSRF in Rendertron

Details

Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.0, or, if you cannot update, to secure the infrastructure to limit the headless chrome's access to your internal domain.

Database specific

{
    "nvd_published_at": "2021-02-23T12:15:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-918"
    ],
    "github_reviewed_at": "2021-02-24T06:59:10Z",
    "severity": "MODERATE"
}

References

Affected packages

npm / rendertron

Package

Name: rendertron; View open source insights on deps.dev
Purl: pkg:npm/rendertron

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-xr9h-9m79-x29g/GHSA-xr9h-9m79-x29g.json"