CVE-2020-7758 - OpenCVE

This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Browserless	Chrome

Configuration 1 [-]

cpe:2.3:a:browserless:chrome:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175	Broken Link
https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6	Patch Third Party Advisory
https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable	Release Notes Third Party Advisory
https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2020-11-02T00:00:00

Updated: 2020-11-18T02:36:08

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7758

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-02T22:15:13.580

Modified: 2022-10-19T17:10:05.133

Link: CVE-2020-7758

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "browserless-chrome", "vendor": "n/a", "versions": [{"status": "affected", "version": "before 1.40.2-chrome-stable"}]}], "credits": [{"lang": "en", "value": "Snyk Security Team"}], "datePublic": "2020-11-02T00:00:00", "descriptions": [{"lang": "en", "value": "This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "NONE", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "REASONABLE", "scope": "UNCHANGED", "temporalScore": 6.5, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:R", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Path Traversal", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-18T02:36:08", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}], "title": "Path Traversal", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2020-11-02T18:27:18.886549Z", "ID": "CVE-2020-7758", "STATE": "PUBLIC", "TITLE": "Path Traversal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "browserless-chrome", "version": {"version_data": [{"version_value": "before 1.40.2-chrome-stable"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Snyk Security Team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:R", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}, {"name": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175", "refsource": "MISC", "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"name": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6", "refsource": "MISC", "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"name": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable", "refsource": "MISC", "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7758", "datePublished": "2020-11-02T00:00:00", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2020-11-18T02:36:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:browserless:chrome:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B126F402-8BBC-4988-8348-F7DF30C8FA84", "versionEndExcluding": "1.40.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server."}, {"lang": "es", "value": "Esto afecta a las versiones del paquete browserless-chrome anterioes a la versi\u00f3n 1.40.2-chrome-stable. La entrada del usuario que fluye desde el endpoint del espacio de trabajo es usada para crear una ruta de archivo filePath y esta es extra\u00edda y luego se env\u00eda de vuelta a un usuario. Esto puede ser escapado para recuperar archivos arbitrarios desde un servidor"}], "id": "CVE-2020-7758", "lastModified": "2022-10-19T17:10:05.133", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Primary"}]}, "published": "2020-11-02T22:15:13.580", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/browserless/chrome/blob/master/src/routes.ts%23L175"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/browserless/chrome/commit/848b87e5bea4f8473eea85261a5ff922d6ebd2b6"}, {"source": "report@snyk.io", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/browserless/chrome/releases/tag/1.40.2-chrome-stable"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-BROWSERLESSCHROME-1023657"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}