Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY3dngtajhtcC0zaDJ4
Insufficient Verification of Data Authenticity in Eclipse Theia
In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the hosts filesystem, given their path, without restrictions on the requesters origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.
Permalink: https://github.com/advisories/GHSA-f7vx-j8mp-3h2xJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY3dngtajhtcC0zaDJ4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Identifiers: GHSA-f7vx-j8mp-3h2x, CVE-2019-17636
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-17636
- https://github.com/eclipse-theia/theia/pull/7205
- https://github.com/eclipse-theia/theia/commit/b212d07f915df1509180944ee3132714bc2636bf
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747
- https://github.com/advisories/GHSA-f7vx-j8mp-3h2x
Blast Radius: 18.7
Affected Packages
npm:@theia/mini-browser
Dependent packages: 24Dependent repositories: 202
Downloads: 19,259 last month
Affected Version Ranges: >= 0.3.9, < 0.16.0
Fixed in: 0.16.0
All affected versions: 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.13, 0.3.14, 0.3.15, 0.3.16, 0.3.17, 0.3.18, 0.3.19, 0.4.0, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0
All unaffected versions: 0.16.0, 0.16.1, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.22.1, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.29.1, 1.29.2, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.33.0, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.34.4, 1.35.0, 1.36.0, 1.37.0, 1.37.1, 1.37.2, 1.38.0, 1.39.0, 1.40.0, 1.40.1, 1.41.0, 1.42.0, 1.42.1, 1.43.0, 1.43.1, 1.44.0, 1.45.0, 1.45.1, 1.46.0, 1.46.1, 1.47.0, 1.47.1