ByteOS Network

NVD Vulnerability Details :

CVE-2019-17636

Analyzed

Source-emo@eclipse.org

Published At-10 Mar, 2020 | 15:15

Updated At-11 Mar, 2020 | 17:58

In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary	2.0	5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N

Type: Primary

Version: 3.1

Base score: 8.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Type: Primary

Version: 2.0

Base score: 5.8

Base severity: MEDIUM

Vector:

AV:N/AC:M/Au:N/C:P/I:P/A:N

CPE Matches

Eclipse Foundation AISBL

>>theia>>Versions from 0.3.9(inclusive) to 0.15.0(inclusive)

cpe:2.3:a:eclipse:theia:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-345	Primary	nvd@nist.gov
CWE-345	Secondary	emo@eclipse.org

CWE ID: CWE-345

Type: Primary

Source: nvd@nist.gov

CWE ID: CWE-345

Type: Secondary

Source: emo@eclipse.org

References

Hyperlink	Source	Resource
https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747	emo@eclipse.org	Exploit Issue Tracking Vendor Advisory

Hyperlink: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747

Source: emo@eclipse.org

Resource:

Exploit

Issue Tracking

Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History