PT-2021-12817 · Unknown · Rendertron

Published

2021-02-23

Updated

2021-03-01

CVE-2020-8902

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Rendertron versions prior to 3.0.0

Description: The issue allows an attacker to perform a Server-Side Request Forgery (SSRF) attack by using a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot.

Recommendations: For Rendertron versions prior to 3.0.0, upgrade to version 3.0.0 to resolve the issue. If an upgrade to version 3.0.0 is not possible, secure the infrastructure to limit the headless chrome's access to your internal domain.

Fix

SSRF

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918CWE-284

Related Identifiers

CVE-2020-8902

GHSA-XR9H-9M79-X29G

Affected Products

Rendertron

PT-2021-12817 · Unknown · Rendertron

CVE-2020-8902

Weakness Enumeration

Related Identifiers

Affected Products

References · 6