CVE-2022-28109

Name of the Vulnerable Software and Affected Versions Selenium Selenium Grid (formerly Selenium Standalone Server) versions prior to 4.0.0-alpha-7

Description The issue is related to DNS rebinding, which can be used to execute arbitrary code on the machine. The component affected is the WebDriver endpoint of Selenium Grid / Selenium Standalone Server. The attack vector is triggered by browsing to a malicious remote web server. This allows for the execution of arbitrary code remotely.

Recommendations For versions prior to 4.0.0-alpha-7, update to version 4.0.0-alpha-7 or later to resolve the issue. As a temporary workaround, consider restricting access to the WebDriver endpoint of Selenium Server (Grid) to minimize the risk of exploitation.