Lucene search

GitHub Advisory DatabaseGHSA-665W-MWRR-77Q3

HistoryJun 05, 2024 - 1:29 p.m.

Arbitrary file read via Playwright's screenshot feature exploiting file wrapper

2024-06-0513:29:10

CWE-22

GitHub Advisory Database

github.com

arbitrary file read

playwright screenshot

url-to-png

patch v2.0.3

upgrade

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

Low

EPSS

Percentile

15.5%

JSON

Impact

All users of url-to-png. Please see https://github.com/jasonraimondi/url-to-png/issues/47

Patches

v2.0.3 requires input url to be of protocol http or https

Workarounds

Requires upgrade.

References

Affected configurations

Vulners

Node

jmondiurl-to-pngRange<2.0.3

VendorProductVersionCPE
jmondiurl-to-png*cpe:2.3:a:jmondi:url-to-png:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
jmondi	url-to-png	*	cpe:2.3:a:jmondi:url-to-png::::::::

References

github.com/advisories/GHSA-665w-mwrr-77q3

github.com/jasonraimondi/url-to-png/commit/9336020c5e603323f5cf4a2ac3bb9a7735cf61f7

github.com/jasonraimondi/url-to-png/issues/47

github.com/jasonraimondi/url-to-png/releases/tag/v2.0.3

github.com/jasonraimondi/url-to-png/security/advisories/GHSA-665w-mwrr-77q3

github.com/user-attachments/files/15536336/Arbitrary.File.Read.via.Playwright.s.Screenshot.Feature.Exploiting.File.Wrapper.pdf

nvd.nist.gov/vuln/detail/CVE-2024-37169

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

Low

EPSS

Percentile

15.5%

JSON

Related for GHSA-665W-MWRR-77Q3