PT-2020-9929 · Eclipse · Eclipse Theia
Published
2020-03-10
·
Updated
2021-04-13
·
CVE-2019-17636
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Eclipse Theia versions 0.3.9 through 0.15.0
Description
The issue concerns the "Mini-Browser" extension, published as "@theia/mini-browser" on npmjs.com, which is one of the default pre-packaged Theia extensions. This extension exposes an HTTP endpoint that allows reading the content of files on the host's filesystem, given their path, without restrictions on the requester's origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.
Recommendations
For Eclipse Theia versions 0.3.9 through 0.15.0, consider disabling the "Mini-Browser" extension until a patch is available to prevent exploitation through the exposed HTTP endpoint. Restrict access to the HTTP endpoint exposed by the "Mini-Browser" extension to minimize the risk of exploitation.
Exploit
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Eclipse Theia