CVE-2020-8902

CWE-284Improper Access ControlCWE-918Server-Side Request Forgery (SSRF)4 documents4 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 82.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Google LLC RendertronGoogle Rendertron
Timeline
PublishedFeb 23
Latest updateMar 1

Description

Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.0, or, if you cannot update, to secure the infrastructure to limit the headless chrome's access to your internal domain.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages3 packages

npmrendertron< 3.0.0
NVDgoogle/rendertron< 3.0.0
CVEListV5google_llc/rendertronstable3.0.0

🔴Vulnerability Details

3
GHSA
SSRF in Rendertron2021-03-01
OSV
SSRF in Rendertron2021-03-01
CVEList
SSRF in Rendertron2021-02-23
CVE-2020-8902 (MEDIUM CVSS 4.3) | Rendertron versions prior to 3.0.0 | cvebase.io