Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhmd3gtYzdxNi1nNTRj

Vulnerability allowing for reading internal HTTP resources

Impact

The vulnerability allows for reading and outputting files served by other services on the internal network in which the export server is hosted. If the export server is exposed to the internet, this potentially allows a malicious user to gain read access to internal web-resources.

The impact is limited to internal services that serve content via. HTTP(S), and requires the attacker to know internal hostnames/IP addresses.

The previous versions have been marked as deprecated on NPM.

Patches

Version 2.1.0 released alongside this security advisory addresses the issue. Please note that this release is not backwards compatible out of the box. See the changelog for details.

Additionally, it's also recommended to upgrade to the latest version of Highcharts to get the added input sanitation implemented in version 9.0 and later.

Workarounds

There are no known workarounds to the issue - an upgrade to version 2.1.0 is required.

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-hfwx-c7q6-g54c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhmd3gtYzdxNi1nNTRj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: over 1 year ago


Identifiers: GHSA-hfwx-c7q6-g54c
References: Repository: https://github.com/highcharts/node-export-server
Blast Radius: 0.0

Affected Packages

npm:highcharts-export-server
Dependent packages: 16
Dependent repositories: 48
Downloads: 47,127 last month
Affected Version Ranges: <= 2.0.30
Fixed in: 2.1.0
All affected versions: 0.1.0, 0.1.1, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.1.23, 0.1.24, 0.1.25, 0.1.26, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.51, 0.2.52, 0.2.53, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.15, 2.0.16, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.28, 2.0.29, 2.0.30
All unaffected versions: 2.1.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1