CVE-2019-17636 – @theia/mini-browser

Package

Manager: npm
Name: @theia/mini-browser
Vulnerable Version: >=0.3.9 <0.16.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0012 pctl0.31682

Details

Insufficient Verification of Data Authenticity in Eclipse Theia In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the hosts filesystem, given their path, without restrictions on the requesters origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.

Metadata

Created: 2021-04-13T15:18:01Z
Modified: 2021-03-29T22:11:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-f7vx-j8mp-3h2x/GHSA-f7vx-j8mp-3h2x.json
CWE IDs: ["CWE-345"]
Alternative ID: GHSA-f7vx-j8mp-3h2x
Finding: F204
Auto approve: 1