CVE-2020-7758 - Vulnerability Details - OpenCVE

This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00509.

Key SSVC decision points have not yet been added.

Vendors	Products
Browserless	Chrome

Configuration 1 [-]

cpe:2.3:a:browserless:chrome:*:*:*:*:*:node.js:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-1017	This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server.
Github GHSA	GHSA-8p9r-f949-699g	Path Traversal in browserless-chrome

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175
https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6
https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable
https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2020-11-02T18:30:22.046163Z

Updated: 2024-09-16T20:42:47.740Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7758

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-11-02T22:15:13.580

Modified: 2024-11-21T05:37:44.793

Link: CVE-2020-7758

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "browserless-chrome", "vendor": "n/a", "versions": [{"status": "affected", "version": "before 1.40.2-chrome-stable"}]}], "credits": [{"lang": "en", "value": "Snyk Security Team"}], "datePublic": "2020-11-02T00:00:00", "descriptions": [{"lang": "en", "value": "This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "NONE", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "REASONABLE", "scope": "UNCHANGED", "temporalScore": 6.5, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:R", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Path Traversal", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-18T02:36:08", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}], "title": "Path Traversal", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2020-11-02T18:27:18.886549Z", "ID": "CVE-2020-7758", "STATE": "PUBLIC", "TITLE": "Path Traversal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "browserless-chrome", "version": {"version_data": [{"version_value": "before 1.40.2-chrome-stable"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Snyk Security Team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:R", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}, {"name": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175", "refsource": "MISC", "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"name": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6", "refsource": "MISC", "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"name": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable", "refsource": "MISC", "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:41:01.614Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7758", "datePublished": "2020-11-02T18:30:22.046163Z", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-09-16T20:42:47.740Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:browserless:chrome:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B126F402-8BBC-4988-8348-F7DF30C8FA84", "versionEndExcluding": "1.40.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server."}, {"lang": "es", "value": "Esto afecta a las versiones del paquete browserless-chrome anterioes a la versi\u00f3n 1.40.2-chrome-stable. La entrada del usuario que fluye desde el endpoint del espacio de trabajo es usada para crear una ruta de archivo filePath y esta es extra\u00edda y luego se env\u00eda de vuelta a un usuario. Esto puede ser escapado para recuperar archivos arbitrarios desde un servidor"}], "id": "CVE-2020-7758", "lastModified": "2024-11-21T05:37:44.793", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2020-11-02T22:15:13.580", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"source": "report@snyk.io", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}