GHSA-hfwx-c7q6-g54c – highcharts-export-server

Package

Manager: npm
Name: highcharts-export-server
Vulnerable Version: >=0 <2.1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Vulnerability allowing for reading internal HTTP resources ### Impact The vulnerability allows for reading and outputting files served by other services on the internal network in which the export server is hosted. If the export server is exposed to the internet, this potentially allows a malicious user to gain read access to internal web-resources. The impact is limited to internal services that serve content via. HTTP(S), and requires the attacker to know internal hostnames/IP addresses. The previous versions have been marked as deprecated on NPM. ### Patches Version 2.1.0 released alongside this security advisory addresses the issue. **Please note that this release is not backwards compatible out of the box. See the [changelog](https://github.com/highcharts/node-export-server/blob/master/CHANGELOG.md) for details.** Additionally, it's also recommended to upgrade to the latest version of Highcharts to get the added input sanitation implemented in version 9.0 and later. ### Workarounds There are no known workarounds to the issue - an upgrade to version 2.1.0 is required. ### For more information If you have any questions or comments about this advisory: * Open an issue in [the export server issue tracker](https://github.com/highcharts/node-export-server/issues) * Email us at [security@highsoft.com](mailto:security@highsoft.com)

Metadata

Created: 2021-03-12T23:04:46Z
Modified: 2021-03-12T22:32:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-hfwx-c7q6-g54c/GHSA-hfwx-c7q6-g54c.json
CWE IDs: ["CWE-552"]
Alternative ID: N/A
Finding: F123
Auto approve: 1