CVE-2019-17636
Insufficient Verification of Data Authenticity in Eclipse Theia
8.1
HIGH
CVSS 3.1
EPSS 0.12%
描述
In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the hosts filesystem, given their path, without restrictions on the requesters origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.
如何修補 CVE-2019-17636
要修補 CVE-2019-17636,請將受影響套件升級到下列已修補版本。
- —升級至 0.16.0 或更新版本
CVE-2019-17636 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 0.3.9, < 0.16.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |