cbcvebase.
CVE-2024-36527
published 2024-06-17

CVE-2024-36527: puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive…

PriorityP343medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
2.56%
83.1th percentile
puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive information from the server.

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/html?url=file:///etc/passwd
path/html?url=file:///etc/passwd
otherfile:///etc/passwd
regexroot:.*:0:0:
  • Send a GET request to the /html endpoint with the `url` parameter set to `file:///etc/passwd`. A vulnerable server will return the contents of /etc/passwd in the response body.
  • Match the HTTP response body for the regex pattern `root:.*:0:0:` to confirm successful directory traversal and file read.
  • Confirm exploitation by also checking for HTTP 200 status code alongside the passwd file content match.
  • The vulnerable endpoint is `/html` and the attack vector is the `url` query parameter being supplied with the `file://` protocol scheme to read local files.
  • ·The vulnerability affects puppeteer-renderer v3.2.0 and all prior versions. Version 3.3.0 and later are patched.
  • ·The detection template targets Linux-based servers (reads /etc/passwd). Detection on Windows hosts would require a different file path payload.
  • ·Remediation requires restricting the `url` parameter to only `http` and `https` protocols in addition to upgrading to v3.3.0+.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.