CVE-2020-7758 - OpenCVE

This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Browserless	Chrome

Configuration 1 [-]

cpe:2.3:a:browserless:chrome:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175
https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6
https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable
https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2020-11-02T18:30:22.046163Z

Updated: 2024-09-16T20:42:47.740Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7758

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-02T22:15:13.580

Modified: 2022-10-19T17:10:05.133

Link: CVE-2020-7758

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "browserless-chrome", "vendor": "n/a", "versions": [{"status": "affected", "version": "before 1.40.2-chrome-stable"}]}], "credits": [{"lang": "en", "value": "Snyk Security Team"}], "datePublic": "2020-11-02T00:00:00", "descriptions": [{"lang": "en", "value": "This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "NONE", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "REASONABLE", "scope": "UNCHANGED", "temporalScore": 6.5, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:R", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Path Traversal", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-18T02:36:08", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}], "title": "Path Traversal", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2020-11-02T18:27:18.886549Z", "ID": "CVE-2020-7758", "STATE": "PUBLIC", "TITLE": "Path Traversal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "browserless-chrome", "version": {"version_data": [{"version_value": "before 1.40.2-chrome-stable"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Snyk Security Team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:R", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}, {"name": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175", "refsource": "MISC", "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"name": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6", "refsource": "MISC", "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"name": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable", "refsource": "MISC", "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:41:01.614Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7758", "datePublished": "2020-11-02T18:30:22.046163Z", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-09-16T20:42:47.740Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:browserless:chrome:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B126F402-8BBC-4988-8348-F7DF30C8FA84", "versionEndExcluding": "1.40.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server."}, {"lang": "es", "value": "Esto afecta a las versiones del paquete browserless-chrome anterioes a la versi\u00f3n 1.40.2-chrome-stable. La entrada del usuario que fluye desde el endpoint del espacio de trabajo es usada para crear una ruta de archivo filePath y esta es extra\u00edda y luego se env\u00eda de vuelta a un usuario. Esto puede ser escapado para recuperar archivos arbitrarios desde un servidor"}], "id": "CVE-2020-7758", "lastModified": "2022-10-19T17:10:05.133", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Primary"}]}, "published": "2020-11-02T22:15:13.580", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"source": "report@snyk.io", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}