GHSA-F7VX-J8MP-3H2X

Vulnerability from github – Published: 2021-04-13 15:18 – Updated: 2021-03-29 22:11
VLAI
Summary
Insufficient Verification of Data Authenticity in Eclipse Theia
Details

In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the hosts filesystem, given their path, without restrictions on the requesters origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.

Severity
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@theia/mini-browser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.9"
            },
            {
              "fixed": "0.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-17636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-29T22:11:05Z",
    "nvd_published_at": "2020-03-10T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is \"Mini-Browser\", published as \"@theia/mini-browser\" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the hosts filesystem, given their path, without restrictions on the requesters origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.",
  "id": "GHSA-f7vx-j8mp-3h2x",
  "modified": "2021-03-29T22:11:05Z",
  "published": "2021-04-13T15:18:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17636"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-theia/theia/pull/7205"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-theia/theia/commit/b212d07f915df1509180944ee3132714bc2636bf"
    },
    {
      "type": "WEB",
      "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Verification of Data Authenticity in Eclipse Theia"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.